Bug#1057311: bookworm-pu: package debian-edu-config/2.12.41~deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-edu-config@packages.debian.org, debian-edu@lists.debian.org
Control: affects -1 + src:debian-edu-config
Here comes a last minute fixup for just accepted 2.12.40~deb12u1 of
debian-edu-config.
We had one last Debian Edu 12 issue related to not being able to change
user passwords via GOsa².
[ Reason ]
Last Friday, it turned out, that the password change hook mechanism in
GOsa² would pass on passwords to hook scripts with base64 encoding
(instead of plaintext). (Yes, this sounds awful, but it is needed for
e.g. updating Kerberos5 passwords and Samba passwords in Debian Edu).
This upload honours this change in GOsa² and picks up the passwords as
base64 decoded before piping them into kadmin.local and smbpasswd.
[ Impact ]
Debian Edu 12 users won't be able to change their passwords via GOsa²
(IDM of Debian Edu).
[ Tests ]
Manually.
[ Risks ]
Only for Debian Edu users.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
+ [ Guido Berhoerster ]
+ * gosa-sync: Decode the user password which GOsa substitutes base64 encoded.
+ This fixes a bug where the user password could not be set or changed.
+ (related to #1052159).
[ Other info ]
I attached two .debdiff files:
* one against the bookworm-pu 2.12.40~deb12u1 version of d-e-c
(already accepted)
* one against the bookworm 2.12.32 version of d-e-c
diff -Nru debian-edu-config-2.12.40~deb12u1/debian/changelog debian-edu-config-2.12.41~deb12u1/debian/changelog
--- debian-edu-config-2.12.40~deb12u1/debian/changelog 2023-11-30 08:36:15.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/changelog 2023-12-03 08:45:42.000000000 +0100
@@ -1,3 +1,18 @@
+debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium
+
+ * Upload to bookworm.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:45:42 +0100
+
+debian-edu-config (2.12.41) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * gosa-sync: Decode the user password which GOsa substitutes base64 encoded.
+ This fixes a bug where the user password could not be set or changed.
+ (related to #1052159).
+
+ -- Mike Gabriel <sunweaver@debian.org> Fri, 01 Dec 2023 21:44:38 +0100
+
debian-edu-config (2.12.40~deb12u1) bookworm; urgency=medium
* Upload to bookworm.
@@ -7,7 +22,7 @@
debian-edu-config (2.12.40) unstable; urgency=medium
* share/debian-edu-config/gosa.conf.template:
- + Deploy GOsæ² based on its classic theming, the Materialize CSS theme is
+ + Deploy GOsa² based on its classic theming, the Materialize CSS theme is
too immature to be used in production.
-- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:32:34 +0100
diff -Nru debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-sync debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-2.12.40~deb12u1/share/debian-edu-config/tools/gosa-sync 2022-02-11 21:40:55.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-sync 2023-12-03 08:45:01.000000000 +0100
@@ -33,13 +33,10 @@
TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
-cat <<EOF | tr -d "\n" > "$TMPFILE"
+base64 -d - <<EOF > "$TMPFILE"
$USERPASSWORD
EOF
-# remove escapes from the password added by GOsa²...
-sed -i $TMPFILE -e 's/\\//g'
-
# check the password in $TMPfile against LDAP...
IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
diff -Nru debian-edu-config-2.12.32/cf3/cf.adduser debian-edu-config-2.12.41~deb12u1/cf3/cf.adduser
--- debian-edu-config-2.12.32/cf3/cf.adduser 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.adduser 2023-09-27 22:34:54.000000000 +0200
@@ -17,10 +17,8 @@
replace_patterns:
- "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
- "LAST_UID=59999" replace_with => value("LAST_UID=999");
- "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
- "LAST_GID=59999" replace_with => value("LAST_GID=999");
+ "LAST_UID=59999" replace_with => value("LAST_UID=1999");
+ "LAST_GID=59999" replace_with => value("LAST_GID=1999");
"DIR_MODE=0755" replace_with => value("DIR_MODE=0700");
}
diff -Nru debian-edu-config-2.12.32/cf3/cf.cfengine3 debian-edu-config-2.12.41~deb12u1/cf3/cf.cfengine3
--- debian-edu-config-2.12.32/cf3/cf.cfengine3 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.cfengine3 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,15 @@
+bundle agent cfengine3
+{
+# Disable cfengine3 services which are enabled by default when systemd is used (#1043353)
+
+services:
+
+ debian.systemd.(server|ltspserver).installation::
+
+ "cfengine3.service"
+ service_policy => "stop";
+
+ "cfengine3.service"
+ service_policy => "disable";
+
+}
diff -Nru debian-edu-config-2.12.32/cf3/cf.ldapclient debian-edu-config-2.12.41~deb12u1/cf3/cf.ldapclient
--- debian-edu-config-2.12.32/cf3/cf.ldapclient 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.ldapclient 2023-09-27 22:34:54.000000000 +0200
@@ -8,6 +8,12 @@
"/usr/share/debian-edu-config/tools/setup-roaming"
contain => in_shell;
+
+# remove PAM LDAP module
+ debian.!roaming.installation::
+
+ "/usr/sbin/pam-auth-update --disable ldap"
+ contain => in_shell;
}
bundle agent editline_ldapclient
diff -Nru debian-edu-config-2.12.32/cf3/cf.ntp debian-edu-config-2.12.41~deb12u1/cf3/cf.ntp
--- debian-edu-config-2.12.32/cf3/cf.ntp 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.ntp 2023-09-27 22:34:54.000000000 +0200
@@ -2,10 +2,10 @@
{
# Use custom ntp configuration for networked clients (package systemd-timesyncd
# is installed by default). On the internal ntp server (default: 'tjener'), the
-# ntp package is installed.
+# ntpsec package is installed.
# Keep systemd-timesyncd default settings for roaming workstations.
-# Note: In case the ntp package is installed, the conflicting systemd-timesyncd
-# package gets removed (but not purged).
+# Note: In case the ntpsec package is installed, the conflicting
+# systemd-timesyncd package gets removed (but not purged).
vars:
@@ -24,30 +24,10 @@
commands:
- # Make sure ntp gets installed
+ # Make sure ntpsec gets installed
debian.server.installation::
- "/usr/bin/apt-get install -y ntp"
+ "/usr/bin/apt-get install -y ntpsec"
contain => in_shell;
}
-
-bundle agent editline_ntp
-{
-
-vars:
-
- "ntp_conf" slist => { "server 127.127.1.0 #local clock as fallback",
- "fudge 127.127.1.0 stratum 10 #not disciplined",};
-
-files:
-
- # Add local clock on the main-server to ensure clients can sync with
- # the main-server even when Internet connection is missing.
-
- debian.server.installation::
-
- "/etc/ntp.conf"
- edit_line => append_if_no_line( @(ntp_conf) );
-}
-
diff -Nru debian-edu-config-2.12.32/cf3/cf.pam debian-edu-config-2.12.41~deb12u1/cf3/cf.pam
--- debian-edu-config-2.12.32/cf3/cf.pam 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.pam 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+bundle agent editline_pam_group
+{
+vars:
+
+ "default_groups" string => "*;*;*;Al0000-2400;audio,bluetooth,cdrom,dip,floppy,netdev,plugdev,scanner,video";
+
+files:
+
+ debian.(workstation|roaming).installation::
+
+ "/etc/security/group.conf"
+ create => "true",
+ edit_line => append_if_no_line("$(default_groups)");
+}
diff -Nru debian-edu-config-2.12.32/cf3/cf.samba debian-edu-config-2.12.41~deb12u1/cf3/cf.samba
--- debian-edu-config-2.12.32/cf3/cf.samba 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.samba 2023-09-27 22:34:54.000000000 +0200
@@ -9,9 +9,13 @@
debian.server.installation::
+ # GID 10004 is the "students" group, the group name cannot be used here
+ # since slapd is not running when this bundle is evaluated during
+ # installation, the GID must be to be kept in sync with
+ # ldap-bootstrap/{samba.ldif,gosa.ldif}
"$(usershares_file)"
create => "true",
- perms => mog("1770","root","students");
+ perms => mog("1770","root","10004");
"/etc/samba/smb.conf"
link_from => ln_s("/etc/samba/smb-debian-edu.conf"),
diff -Nru debian-edu-config-2.12.32/cf3/cf.syslog debian-edu-config-2.12.41~deb12u1/cf3/cf.syslog
--- debian-edu-config-2.12.32/cf3/cf.syslog 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/cf.syslog 2023-09-27 22:34:54.000000000 +0200
@@ -20,6 +20,10 @@
"/etc/rsyslog.d/debian-edu-collector.conf"
link_from => ln_s("/usr/share/debian-edu-config/rsyslog-collector"),
move_obstructions => "true";
+
+ "/etc/rsyslog.d/debian-edu-filters.conf"
+ link_from => ln_s("/usr/share/debian-edu-config/rsyslog-filters"),
+ move_obstructions => "true";
}
bundle agent editline_syslog
diff -Nru debian-edu-config-2.12.32/cf3/promises.cf debian-edu-config-2.12.41~deb12u1/cf3/promises.cf
--- debian-edu-config-2.12.32/cf3/promises.cf 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/cf3/promises.cf 2023-09-27 22:34:54.000000000 +0200
@@ -8,9 +8,9 @@
body server control
# Debian Edu specific
{
- allowconnects => { "10.0.0.0.0/8" };
- allowallconnects => { "10.0.0.0.0/8" };
- trustkeysfrom => { "10.0.0.0.0/8" };
+ allowconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ allowallconnects => { "127.0.0.1", "::1", "10.0.0.0/8" };
+ trustkeysfrom => { "127.0.0.1", "::1", "10.0.0.0/8" };
maxconnections => "15";
denybadclocks => "false";
allowusers => { "root" };
@@ -28,11 +28,13 @@
bundlesequence => {
edu,
+ cfengine3,
permission_homes,
editline_homes,
editline_bind,
editline_ldapserver,
editline_ldapclient,
+ editline_pam_group,
editline_syslog,
adduser,
apache2,
@@ -53,7 +55,6 @@
ldapclient,
desktop,
ntp,
- editline_ntp,
squid,
sshd,
syslog,
@@ -71,9 +72,11 @@
"lib/common.cf",
"lib/commands.cf",
"lib/files.cf",
+ "lib/services.cf",
"debian-edu/cf.adduser",
"debian-edu/cf.apache2",
"debian-edu/cf.bind",
+ "debian-edu/cf.cfengine3",
"debian-edu/cf.chromium",
"debian-edu/cf.cups",
"debian-edu/cf.samba",
@@ -91,6 +94,7 @@
"debian-edu/cf.ldapserver",
"debian-edu/cf.ldapclient",
"debian-edu/cf.ntp",
+ "debian-edu/cf.pam",
"debian-edu/cf.pxeinstall",
"debian-edu/cf.squid",
"debian-edu/cf.sshd",
diff -Nru debian-edu-config-2.12.32/debian/changelog debian-edu-config-2.12.41~deb12u1/debian/changelog
--- debian-edu-config-2.12.32/debian/changelog 2023-03-27 20:40:47.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/changelog 2023-12-03 08:45:42.000000000 +0100
@@ -1,3 +1,246 @@
+debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium
+
+ * Upload to bookworm.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:45:42 +0100
+
+debian-edu-config (2.12.41) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * gosa-sync: Decode the user password which GOsa substitutes base64 encoded.
+ This fixes a bug where the user password could not be set or changed.
+ (related to #1052159).
+
+ -- Mike Gabriel <sunweaver@debian.org> Fri, 01 Dec 2023 21:44:38 +0100
+
+debian-edu-config (2.12.40~deb12u1) bookworm; urgency=medium
+
+ * Upload to bookworm.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:36:15 +0100
+
+debian-edu-config (2.12.40) unstable; urgency=medium
+
+ * share/debian-edu-config/gosa.conf.template:
+ + Deploy GOsa² based on its classic theming, the Materialize CSS theme is
+ too immature to be used in production.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 30 Nov 2023 08:32:34 +0100
+
+debian-edu-config (2.12.39) unstable; urgency=medium
+
+ * ldap-bootstrap/root.ldif: Fix gosaAclEntry of BaseDN object.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sun, 19 Nov 2023 09:56:39 +0100
+
+debian-edu-config (2.12.38) unstable; urgency=medium
+
+ [ Wolfgang Schweer ]
+ * Fix main server network setup. Closes: #1055647.
+
+ -- Holger Levsen <holger@debian.org> Fri, 10 Nov 2023 16:42:11 +0100
+
+debian-edu-config (2.12.37) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Discard excessive nullmailer logging.
+ Filter out log messages coming from a client running nullmailer since it is
+ very verbose and can easily fill up the filesystem under /var/log.
+ (Closes: #1003728).
+ * ldap-createuser-krb5: fix password prompt.
+ * Disable cfengine3 systemd service.
+ Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
+ pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
+ instead.
+ * Rewrite testsuite/filesystems, add exception for /boot
+ Rewrite for clarity and robustness. Add exception for /boot which may use
+ ext2.
+ * testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
+ The -h command line option has been removed, ldapsearch now only accepts a
+ LDAP URI via the -H option.
+ Also do not use the deprecated egrep and get rid of unnecessary wc.
+ Use dig and awk instead of host and interpret the SRV record properly.
+ * testsuite/ldap-client: Improve error message on PAM modules.
+ * Fix remaining invocations of ldapsearch.
+ * Disable using the LDAP PAM module (we use pam_krb5.so instead).
+ * setup-freeradius-server: Set commonName and subjectAltNames on the server
+ cert.
+ (Closes: #1010159).
+ * setup-freeradius-server: Improve robustness
+ Use update-ini-file for OpenSSL config files.
+ Use more precise sed substitutions which do not rely on example values.
+ Increase password length from 8 to 16 characters.
+ * Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
+ With this change local user accounts now use the UID/GID range 1000-1999
+ instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
+ 1000-59999. This is to reserve UID/GID 0-999 for system users which is the
+ default in Debian and not conforming to it is increasingly problematic as
+ packages are beginning to use systemd-sysusers for creating system user
+ accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
+ The first user account created during installation now has UID/GID 2000 instead
+ of 1000.
+ Configure gosa and adjust ldap-createuser-krb5 accordingly.
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 27 Sep 2023 09:57:06 +0200
+
+debian-edu-config (2.12.36) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * ldap-bootstrap/gosa.ldif:
+ + Provide ou=incoming potentially used by GOsa²'s class 'newArpDevice'.
+ This is esp. to silence GOsa² error messages but might be useful at a
+ later point of time.
+
+ [ Guido Berhoerster ]
+ * Update proxy settings in dconf.
+ This adds support in update-proxy-from-wpad for setting the proxy default
+ values in dconf (used by e.g. GNOME components). The values are added to
+ a site database, it also packages an empty local database in order to
+ obviate the need to modify the user profile. (Closes: #955702)
+ * Remove use of obsolete grep aliases. These have been obsolete forever and
+ have been removed from GNU grep upstream.
+ * Use command -v builtin over external which command
+ * Do not solely rely on the presence of init scripts in maintainer scripts.
+ Check also for systemd service files.
+ * Remove direct invocation of wlan init script. This no longer exists in
+ Debian.
+ * Replace invocation of fetch-ldap-cert init script in DHCP hooks and rename.
+ dhclient hook in Makefile.
+ This has been replaced by fetch-rootca-cert (see #971780).
+ * Silence exim4 warnings in logfile.
+ The lack of keep_environment in the exim4 configuration for clients leads to
+ continuous warnings in the logfile:
+ 'Warning: purging the environment. Suggested action: use keep_environment.'
+ Setting it to an empty value (which is the default) silences that.
+ * Ship PAM group.conf for workstations. LDAP users should be members of
+ several system groups on networked (roaming) workstations.
+ * Add missing dependency on iptables
+ This is required by debian-edu-update-netblock (Closes: #1051446).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 09 Sep 2023 23:04:46 +0200
+
+debian-edu-config (2.12.35) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Remove configure-edu-gateway. (Closes: #1043407).
+ The script is obsoleted by the more sophisticated configuration
+ abilities provided by the debian-edu-router-config package.
+ * Do not hardcode X2Go desktop to Xfce. (Closes: #1049396).
+ Add a commandline option --x2go_desktop for specifying the default desktop
+ and make a best effort finding a usable desktop if none is specified.
+ * Disable cf-execd on installation. (Closes: #1041323).
+ Currently cf-execd is enabled by default if systemd is used (see #1043353)
+ but the agent should only be run on installation.
+ * Do not attempt to fetch the rootCA cert outside of a DebianEdu network
+ An error should only be reported if the machine is inside a DebianEdu
+ network, i.e. www.intern is resolvable, but the download fails. (Closes:
+ #1008599).
+
+ [ Mike Gabriel ]
+ * debian/tests/control: Remove configure-edu-gateway from list of tests.
+ Script and testscript are now gone. (Related to closure of #1043407, see
+ above).
+ * Silence lintian warnings of type 'bash-term-in-posix-shell' by using
+ variable names that lintian can't confuse with bash-only pre-set
+ variables (e.g. $HOSTNAME or $UID).
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 19 Aug 2023 17:00:36 +0200
+
+debian-edu-config (2.12.34) unstable; urgency=medium
+
+ [ Mike Gabriel ]
+ * Start 2.12.34 development.
+ * debian/debian-edu-config.lintian-overrides:
+ + Update existing overrides (line numbers and such).
+ + Drop missing-systemd-service-for-init.d-script overrides. Systemd service
+ files are now provided.
+ + Drop init.d-script-does-not-implement-status-option override for
+ fetch-ldap-cert. Init script is now gone.
+ * testsuite: Install to pkglibexecdir rather than libexecdir. Thanks lintian.
+ * Makefile: Adjust white-spacing in variable declarations.
+ * Makefile: Use $(NULL) variable at end of file lists. Allow for better git-
+ patch readability.
+ * Convert CRON configuration to systemd timers.
+ * sbin/*-for-netgroup-hosts: Some noop + white-spacing beautifications.
+ * Move d-e-c-*-for-netgroup-hosts scripts to pkglibexecdir.
+ * debian/debian-edu-config.postinst:
+ + Assure runlevel de-registering of init script fetch-ldap-cert.
+ * debian/debian-edu-config.maintscript:
+ + Assure removal of /etc/init.d/fetch-ldap-cert conffile.
+ * debian/debian-edu-config.cron.*:
+ + Only run scripts if they exist. Thanks piuparts.
+
+ [ Daniel Teichmann ]
+ * etc/dhcp/dhcp-debian-edu.conf:
+ + ldap-server. 'ldap' -> 'ldap.intern'. (Closes: #1039966).
+ * share/debian-edu-config/tools/gosa-remove:
+ + Fix kadmin.local, Use '-force' to disable interaction via stdin.
+
+ [ Guido Berhoerster ]
+ * ldap-tools/ldap-createuser-krb5:
+ + Fix user creation. (Closes: #1042456).
+ Remove Samba NT4 domain support, add samba user using smbpasswd.
+ Add root CA for new users (copied from gosa-create).
+ + Fix new UID/GID selection.
+ Exclude special users (UID/GID >= 10000) when looking for the highest
+ UID/GID.
+ + Add CLI options for uid/gid/department.
+ Also ensure script is run as root.
+ + Add additional attributes based on template users.
+ + Add support for additional groups.
+ + Send welcome email in order to create maildir.
+ Without this the maildir in /var/mail/<user> will not exist and Dovecot
+ will refuse to let the user log in as it cannot create this directory.
+ + Set LDAP password when creating users.
+ This allows users to use GOsa² to change their password.
+ * Add systemd services for configuring Chromium/Firefox from LDAP.
+ Factor out logic from init script into separate script which are then called
+ from both the init script and systemd services.
+ * Add systemd service enabling NAT for thin clients.
+ * Add systemd service for fetching the RootCA file from the main server.
+ * Drop init script for fetching LDAP SSL public key from legacy main servers.
+ This drops support for clients running behind a main server based on Debian
+ Edu stretch. (Closes: #1030116).
+ * Update debian/rules for init scripts and systemd services. (Closes:
+ #1039166).
+ * Generate a random password for the icinga/icingaweb databases.
+ (Closes: #1040015).
+ * update-dlw-krb5-keytabs: Handle missing/empty diskless-workstation-hosts.
+ * Followup fixes for ntpsec transition.
+ * Add systemd support to debian-edu-restart-services: This uses a list
+ of service units which was compiled on a main server + ltsp
+ installation. Uses stop and start to force restart
+ reverse-dependencies. It also makes sure that drop in files are
+ recognized. (Closes: #1042940).
+ * Configure gosa not to use STARTTLS since TLS is already used. ldapTLS
+ configures the use of STARTTLS, not TLS per se which is enabled by the
+ use of ldaps: protocol in URLs. (Closes: #1041322).
+ * Allow root access to cups via SystemGroups. 'root' access is allowed in
+ the default configuration and e.g. necessary for services like
+ debian-edu-cups-queue-autoflush.service to work. (Closes: #1043397).
+ * cf3/promises.cf: fix typo and allow connections from localhost and network.
+
+ -- Mike Gabriel <sunweaver@debian.org> Thu, 10 Aug 2023 16:47:59 +0200
+
+debian-edu-config (2.12.33) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Adapt ntp configuration for ntpsec. Closes: #1038881.
+ ntpsec has replaced ntp in bookworm, adapt configuration and add a
+ drop-in file instead of editing the configuration file. Drop insserv
+ overrides for ntp, the ntpsec systemd unit has an ordering dependency
+ on nss-lookup.target equivalent to the "$named" facility.
+ * Set up database for icingaweb2
+ Starting with version 2.11 user preferences must be stored in the DB.
+ * Fix permissions issue preventing icingaweb2 from reading the backend config
+ The /etc/icingaweb2/modules directory ends up with "drwxrwSrwx" permissions,
+ missing the "x" bit preventing icingaweb2 from reading the monitoring backend
+ configuration in /etc/icingaweb2/modules/monitoring/. Instead of adjusting
+ single files and directories, enforce sensible permissions on all directories
+ and configuration files. Closes: #1039475.
+
+ -- Mike Gabriel <sunweaver@debian.org> Sat, 01 Jul 2023 05:41:56 +0200
+
debian-edu-config (2.12.32) unstable; urgency=medium
* debian-edu-ltsp-install: fix failure with absent BD iso images. Patch
diff -Nru debian-edu-config-2.12.32/debian/control debian-edu-config-2.12.41~deb12u1/debian/control
--- debian-edu-config-2.12.32/debian/control 2023-03-27 20:40:24.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/control 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,6 @@
Uploaders: Petter Reinholdtsen <pere@debian.org>,
Holger Levsen <holger@debian.org>,
Mike Gabriel <sunweaver@debian.org>,
- Wolfgang Schweer <wschweer@arcor.de>,
Dominik George <natureshadow@debian.org>,
Standards-Version: 4.6.2
Rules-Requires-Root: no
@@ -30,6 +29,7 @@
education-tasks,
fping,
gnutls-bin,
+ iptables,
isenkram-cli,
ldap-utils,
libconfig-inifiles-perl,
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.chromium-ldapconf
--- debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf 2019-02-12 15:00:02.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.chromium-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -20,31 +20,9 @@
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/chromium-ldapconf
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.chromium-ldapconf.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.chromium-ldapconf.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.chromium-ldapconf.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.cron.daily debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.cron.daily
--- debian-edu-config-2.12.32/debian/debian-edu-config.cron.daily 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.cron.daily 2023-09-27 22:34:54.000000000 +0200
@@ -3,12 +3,9 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-# Automatically flush print queues every night if the
-# host is a member of the cups-queue-autoflush-hosts netgroup.
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
- if innetgr -h $hostname cups-queue-autoflush-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoflush
- fi
-done
+# regularly run CUPS Queue autoflush if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts ]; then
+ exec /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts
+fi
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.cron.hourly debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.cron.hourly
--- debian-edu-config-2.12.32/debian/debian-edu-config.cron.hourly 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.cron.hourly 2023-09-27 22:34:54.000000000 +0200
@@ -3,21 +3,14 @@
PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH
-[ -x /usr/bin/innetgr ] || exit 0
+[ -d /run/systemd/system ] && exit 0
-for hostname in "$(uname -n)" "$(hostname -s)" ; do
+# regularly run fsautoresize if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts ]; then
+ /usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts
+fi
- # Automatically extend full LVM volumes if the host is a member of
- # the fsautoresize-hosts netgroup.
- if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
- innetgr -h $hostname fsautoresize-hosts ; then
- debian-edu-fsautoresize -n
- fi
-
- # Automatically restart disabled print queues every hour if the
- # host is a member of the cups-queue-autoreenable-hosts netgroup.
- if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
- innetgr -h $hostname cups-queue-autoreenable-hosts ; then
- /usr/share/debian-edu-config/tools/cups-queue-autoreenable
- fi
-done
+# regularly run CUPS Queue autoreenable if configured via netgroups
+if [ -x /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts ]; then
+ /usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
+fi
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-flush CUPS queues on hosts configured via the cups-queue-autoflush-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-cups-queue-autoflush-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoflush.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoflush.service every day.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Auto-reenable CUPS queues on hosts configured via the cups-queue-autoreenable-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-cups-queue-autoreenable.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-cups-queue-autoreenable.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run fsautoresize regularly on hosts configured via the fsautoresize-hosts netgroup.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/debian-edu-config/debian-edu-fsautoresize-for-netgroup-hosts
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.timer debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-fsautoresize.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-fsautoresize.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-fsautoresize.service every hour.
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=1h
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,6 @@
+[Unit]
+Description=Update netblock according to netblock-hosts netgroup configuration.
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/debian-edu-update-netblock auto
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.timer debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.timer
--- debian-edu-config-2.12.32/debian/debian-edu-config.debian-edu-update-netblock.timer 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.debian-edu-update-netblock.timer 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run debian-edu-update-netblock.service every 5 minutes
+
+[Timer]
+OnBootSec=15min
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.enable-nat.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.enable-nat.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.enable-nat.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.enable-nat.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables NAT for clients in the thin clients network
+After=remote-fs.target network-online.target
+Wants=remote-fs.target
+ConditionFileIsExecutable=/usr/sbin/iptables
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/nat enable
+ExecStop=/usr/share/debian-edu-config/tools/nat disable
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-ldap-cert debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-ldap-cert
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-ldap-cert 2023-01-30 14:36:07.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-ldap-cert 1970-01-01 01:00:00.000000000 +0100
@@ -1,135 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: fetch-ldap-cert
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Should-Start: $network $syslog $named slapd
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Fetch LDAP SSL public key from the server
-# Description:
-# Start before krb5-kdc to give slapd time to become operational
-# before krb5-kdc try to connect to the LDAP server as a workaround
-# for #589915.
-# X-Start-Before: isc-dhcp-server krb5-kdc nslcd
-### END INIT INFO
-#
-# Author: Petter Reinholdtsen <pere@hungry.com>
-# Date: 2007-06-09
-#
-# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
-# Date: 2022-01-06
-
-###
-### FIXME: Legacy init script for Debian Edu clients.
-###
-### --- Remove for Debian Edu bookworm+1 ---
-###
-### Warning: Removing this script will drop support for clients running
-### against Debian Edu main servers based on Debian Edu stretch and
-### earlier.
-###
-
-set -e
-
-. /lib/lsb/init-functions
-
-CERTFILE=/etc/ssl/certs/debian-edu-server.crt
-
-do_start() {
-
- # Locate LDAP server
- LDAPSERVER=$(debian-edu-ldapserver)
- LDAPPORT=636 # ldaps
- ERROR=false
-
- ###
- ### PHASE 1: LDAP server cert retrieval
- ###
-
- if ( [ ! -f $CERTFILE ] || [ ! -f $ROOTCACRT ] ) && [ -f /etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt /etc/nslcd.conf ; then
-
- # LDAP server host not known/found, bailing out...
- if [ -z "$LDAPSERVER" ] ; then
- msg="Failed to locate LDAP server"
- log_action_begin_msg "$msg"
- log_action_end_msg 1
- logger -t fetch-ldap-cert "$msg."
- return 1
- fi
-
- [ "$VERBOSE" != no ] && log_action_begin_msg "Fetching LDAP SSL certificate."
-
- # Fetch LDAP certificate from the Debian Edu main server (i.e. from the LDAP server)
- /usr/share/debian-edu-config/tools/ldap-server-getcert $LDAPSERVER > $CERTFILE.new
- chmod 644 $CERTFILE.new
-
- if test -s $CERTFILE.new ; then
- mv $CERTFILE.new $CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- logger -t fetch-ldap-cert "Fetched LDAP SSL certificate from $LDAPSERVER."
- else
- # We obviously have failed in some way if the CERTFILE.new is empty (zero size).
- # Something went wrong, if we end up here...
- rm -f $CERTFILE.new
- log_action_end_msg 1
- logger -t fetch-ldap-cert "Failed to fetch LDAP SSL certificate from $LDAPSERVER."
- ERROR=true
- fi
-
- fi
-
- ###
- ### PHASE 2: Deploy the obtained CERTFILE to LTSP chroots, if any are present.
- ###
-
- if [ -d /opt/ltsp ] && [ "$ERROR" = "false" ]; then
-
- # Loop over all to be found LTSP chroots...
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
-
- if [ ! -d $ltsp_chroot/etc/ssl/certs/ ]; then
- # likely not a chroot dir, skipping...
- continue
- fi
-
- # Only install the CERTFILE into this chroot, if not already present...
- if [ ! -f $ltsp_chroot$CERTFILE ] && [ -f $ltsp_chroot/etc/nslcd.conf ] &&
- grep -q /etc/ssl/certs/debian-edu-server.crt $ltsp_chroot/etc/nslcd.conf ; then
-
- # Copy the obtained CERTFILE into the LTSP chroot (containing the LDAP server's
- # certificate.
- log_action_begin_msg "Copying LDAP SSL certificate to ltsp-chroot $ltsp_chroot "
- [ "$VERBOSE" != no ] &&
- if test -s $CERTFILE; then
- cp $CERTFILE $ltsp_chroot$CERTFILE
- [ "$VERBOSE" != no ] && log_action_end_msg 0
- else
- log_action_end_msg 1
- ERROR=true
- fi
- fi
-
- done
- fi
-
- if [ "$ERROR" = "true" ]; then
- return 1
- fi
-}
-
-case "$1" in
- start)
- do_start
- ;;
- stop)
- ;;
- restart|force-reload)
- ;;
- *)
- echo "Usage: $0 {start|stop|restart|force-reload}"
- exit 2
-esac
-
-exit 0
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-rootca-cert
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -19,68 +19,10 @@
. /lib/lsb/init-functions
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
-ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
-LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
-
-do_start() {
-
- ERROR=false
-
- # Remove no longer used certificate file
- rm -f $BUNDLECRT
-
- # RootCA cert retrieval (avoid execution on the main server, things are in place)
- if echo "$PROFILE" | egrep -q 'Main-Server' ; then
- logger -t fetch-rootca-cert "Running on the main server, exiting."
- exit 0
- fi
- if [ ! -f $LOCALCACRT ] || [ ! -s $LOCALCACRT ] ; then
- # Since Debian Edu 10, the RootCA file is distributed
- # over http (always via the host serving www.intern, by default: TJENER)
- #
- # We do an availability check for the webserver first, to provide proper
- # error reporting (see below). So, the following check merely discovers,
- # if the webserver is online at all.
- if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
- # Now let's see if the webserver has the "Debian Edu RootCA" file.
- # This has been the case for Debian Edu main servers (TJENER) since
- # Debian Edu 10.1.
- if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
- grep -q CERTIFICATE $LOCALCACRT ; then
- # Make rootCA certificate available in /etc/ssl/certs/
- ln -nsf $LOCALCACRT $ROOTCACRT
- # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
- update-ca-certificates
- logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
- else
- # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
- # 404 http error message in html.
- rm -f $LOCALCACRT
- rm -f $ROOTCACRT
- logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
- fi
- else
- # Report an error, if www.intern is down http-wise. This can happen and is probably
- # a temporary problem that needs an admin to fix it.
- log_action_end_msg 1
- logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
- ERROR=true
- fi
- fi
-
- if $ERROR; then
- return 1
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ exit $?
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-rootca-cert.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.fetch-rootca-cert.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.fetch-rootca-cert.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,13 @@
+[Unit]
+Description=Fetch Debian Edu rootCA certificate from the main server
+After=remote-fs.target network-online.target
+Before=nslcd.service
+Wants=remote-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/fetch-rootca-cert
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.firefox-ldapconf
--- debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.firefox-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -20,31 +20,9 @@
. /lib/lsb/init-functions
-if [ -e /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-do_start() {
- # Skip this on LTSP chroots
- if [ -e /etc/ltsp_chroot ] ; then
- return
- fi
-
- # Only networked profiles use LDAP
- if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
- /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- fi
-
- if echo "$PROFILE" | grep -q LTSP-Server && [ -d /opt/ltsp ] ; then
- for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
- chroot $ltsp_chroot /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
- done
- fi
-}
-
case "$1" in
start)
- do_start
+ /usr/share/debian-edu-config/tools/firefox-ldapconf
;;
stop)
;;
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf.service debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.firefox-ldapconf.service
--- debian-edu-config-2.12.32/debian/debian-edu-config.firefox-ldapconf.service 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.firefox-ldapconf.service 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firefox configuration from LDAP
+After=network-online.target remote-fs.target nss-lookup.target slapd.service fetch-ldap-cert.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/debian-edu-config/tools/firefox-ldapconf
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.lintian-overrides debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.lintian-overrides
--- debian-edu-config-2.12.32/debian/debian-edu-config.lintian-overrides 2023-01-30 14:31:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.lintian-overrides 2023-09-27 22:34:54.000000000 +0200
@@ -5,39 +5,20 @@
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/edu-icinga-setup:24]
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/kerberos-kdc-init:31]
debian-edu-config: debconf-is-not-a-registry [usr/share/debian-edu-config/tools/run-at-firstboot:11]
-debian-edu-config: missing-systemd-service-for-init.d-script chromium-ldapconf [etc/init.d/chromium-ldapconf]
-debian-edu-config: missing-systemd-service-for-init.d-script enable-nat [etc/init.d/enable-nat]
-debian-edu-config: missing-systemd-service-for-init.d-script fetch-ldap-cert [etc/init.d/fetch-ldap-cert]
-debian-edu-config: missing-systemd-service-for-init.d-script fetch-rootca-cert [etc/init.d/fetch-rootca-cert]
-debian-edu-config: missing-systemd-service-for-init.d-script firefox-ldapconf [etc/init.d/firefox-ldapconf]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/chromium-ldapconf]
-debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/fetch-ldap-cert]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/fetch-rootca-cert]
debian-edu-config: init.d-script-does-not-implement-status-option [etc/init.d/firefox-ldapconf]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:177]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:182]
debian-edu-config: possibly-insecure-handling-of-tmp-files-in-maintainer-script $TMPDIR/all.ldif [postinst:184]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-fullname [templates:471]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-name [templates:465]
-debian-edu-config: unused-debconf-template debian-edu-config/first-user-password [templates:477]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-fullname [templates:491]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-name [templates:485]
+debian-edu-config: unused-debconf-template debian-edu-config/first-user-password [templates:497]
debian-edu-config: unused-debconf-template debian-edu-config/kdc-password [templates:71]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-again [templates:148]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-empty [templates:227]
-debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-mismatch [templates:188]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [templates:268]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:345]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:424]
-debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:385]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:117]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:122]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:124]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:127]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/sbin/update-hostname-from-ip:128]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:182]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:183]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:184]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/d-i/pre-pkgsel:198]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-create:32]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-remove:34]
-debian-edu-config: bash-term-in-posix-shell '$HOSTNAME' [usr/share/debian-edu-config/tools/gosa-remove:38]
-debian-edu-config: bash-term-in-posix-shell '$UID' [usr/share/debian-edu-config/tools/kerberos-kdc-init:253]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-again [templates:152]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-empty [templates:235]
+debian-edu-config: unused-debconf-template debian-edu-config/kdc-password-mismatch [templates:194]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password [templates:278]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-again [templates:359]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-empty [templates:442]
+debian-edu-config: unused-debconf-template debian-edu-config/ldap-password-mismatch [templates:401]
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.maintscript debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.maintscript
--- debian-edu-config-2.12.32/debian/debian-edu-config.maintscript 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.maintscript 2023-09-27 22:34:54.000000000 +0200
@@ -2,3 +2,4 @@
rm_conffile /share/debian-edu-config/debian-edu.ldapscripts.passwd 2.12.5
rm_conffile /etc/cfengine3/debian-edu/cf.ldapscripts 2.12.5
dir_to_symlink /etc/debian-edu/host-keytabs /var/lib/debian-edu/host-keytabs 2.12.17
+rm_conffile /etc/init.d/fetch-ldap-cert 2.12.33
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.postinst debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.postinst
--- debian-edu-config-2.12.32/debian/debian-edu-config.postinst 2022-06-13 12:36:44.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.postinst 2023-09-27 22:34:54.000000000 +0200
@@ -94,9 +94,9 @@
# start the enable-nat init script if we have a ltspserver
-if [ -f /etc/debian-edu/config ] && egrep -q "(LTSP-Server|Thin-Client-Server)" /etc/debian-edu/config ; then
+if [ -f /etc/debian-edu/config ] && grep -Eq "(LTSP-Server|Thin-Client-Server)" /etc/debian-edu/config ; then
if ! grep -q Main-Server /etc/debian-edu/config ; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ] ; then
+ if command -v invoke-rc.d >/dev/null; then
invoke-rc.d enable-nat start || exit $?
else
/etc/init.d/enable-nat start || exit $?
@@ -197,6 +197,13 @@
rmdir /etc/smbldap-tools
fi
fi
+ # Unregister init script fetch-ldap-cert
+ if dpkg --compare-versions "$2" le "2.12.33"; then
+ update-rc.d -f fetch-ldap-cert remove
+ fi
+
+ # Update dconf databases
+ command -v dconf >/dev/null && dconf update
;;
esac
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.postrm debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.postrm
--- debian-edu-config-2.12.32/debian/debian-edu-config.postrm 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.postrm 2023-09-27 22:34:54.000000000 +0200
@@ -5,8 +5,9 @@
case "$1" in
remove)
# Calling the init script during removal
- if [ -x "/etc/init.d/enable-nat" ] ; then
- if [ -x "`which invoke-rc.d 2>/dev/null`" ] ; then
+ if systemctl list-unit-files -q enable-nat >/dev/null 2>&1 || \
+ [ -x "/etc/init.d/enable-nat" ] ; then
+ if command -v invoke-rc.d >/dev/null ; then
invoke-rc.d enable-nat stop || exit $?
else
/etc/init.d/enable-nat stop || exit $?
@@ -17,6 +18,9 @@
rm -rf /var/lib/cfengine3/inputs/
mkdir /var/lib/cfengine3/inputs/
fi
+
+ # Update dconf databases
+ command -v dconf >/dev/null && dconf update
;;
purge)
# remove user/group debian-edu from system
diff -Nru debian-edu-config-2.12.32/debian/debian-edu-config.prerm debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.prerm
--- debian-edu-config-2.12.32/debian/debian-edu-config.prerm 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/debian-edu-config.prerm 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,8 @@
case "$1" in
remove)
# Calling the init script during removal
- if [ -x "/etc/init.d/enable-nat" ] ; then
+ if systemctl list-unit-files -q enable-nat >/dev/null 2>&1 || \
+ [ -x "/etc/init.d/enable-nat" ] ; then
if command -v invoke-rc.d >/dev/null ; then
invoke-rc.d enable-nat stop || exit $?
else
diff -Nru debian-edu-config-2.12.32/debian/dirs debian-edu-config-2.12.41~deb12u1/debian/dirs
--- debian-edu-config-2.12.32/debian/dirs 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/debian/dirs 2023-09-27 22:34:54.000000000 +0200
@@ -5,6 +5,11 @@
etc/chromium/policies/managed
etc/cron.d
etc/cups
+etc/dconf
+etc/dconf/profile
+etc/dconf/db
+etc/dconf/db/local.d
+etc/dconf/db/site.d
etc/debian-edu
etc/default
etc/exports.d
diff -Nru debian-edu-config-2.12.32/debian/rules debian-edu-config-2.12.41~deb12u1/debian/rules
--- debian-edu-config-2.12.32/debian/rules 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/rules 2023-09-27 22:34:54.000000000 +0200
@@ -10,13 +10,22 @@
override_dh_installinit:
# Start it after 15bind9 and 19slapd
- dh_installinit --init-script fetch-ldap-cert -r --no-start
dh_installinit --init-script fetch-rootca-cert -r --no-start
# Start it after 15bind9, 19slapd and 95fetch-ldap-cert, and add some to be sure
dh_installinit --init-script firefox-ldapconf -r --no-start
dh_installinit --init-script chromium-ldapconf -r --no-start
dh_installinit --init-script enable-nat --no-start
+override_dh_installsystemd:
+ dh_installsystemd --no-start --name chromium-ldapconf
+ dh_installsystemd --no-start --name enable-nat
+ dh_installsystemd --no-start --name fetch-rootca-cert
+ dh_installsystemd --no-start --name firefox-ldapconf
+ dh_installsystemd --no-start --name debian-edu-fsautoresize
+ dh_installsystemd --no-start --name debian-edu-update-netblock
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoflush
+ dh_installsystemd --no-start --name debian-edu-cups-queue-autoreenable
+
override_dh_installman:
dh_installman
help2man -N -n "ldap-add-host-to-netgroup - Adds a host as a member in the given netgroup" \
diff -Nru debian-edu-config-2.12.32/debian/tests/configure-edu-gateway debian-edu-config-2.12.41~deb12u1/debian/tests/configure-edu-gateway
--- debian-edu-config-2.12.32/debian/tests/configure-edu-gateway 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/tests/configure-edu-gateway 1970-01-01 01:00:00.000000000 +0100
@@ -1,14 +0,0 @@
-#!/bin/sh
-set -e
-
-export LC_ALL=C
-export PROFILE=Minimal
-export DESKTOP=none
-
-echo
-echo "Install Debian Edu chroot using profile $PROFILE, then run a script"
-echo "to turn this minimal system into a dedicated gateway."
-echo
-cd $AUTOPKGTEST_TMP
-PROFILE=$PROFILE DESKTOP=$DESKTOP /usr/share/debian-edu-config/tools/debian-edu-bless
-/usr/share/debian-edu-config/tools/configure-edu-gateway --firewall no
diff -Nru debian-edu-config-2.12.32/debian/tests/control debian-edu-config-2.12.41~deb12u1/debian/tests/control
--- debian-edu-config-2.12.32/debian/tests/control 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/debian/tests/control 2023-09-27 22:34:54.000000000 +0200
@@ -1,3 +1,3 @@
-Tests: install-task-pkgs, improve-desktop-l10n, configure-edu-gateway
+Tests: install-task-pkgs, improve-desktop-l10n
Depends: debian-edu-install, education-common, locales
Restrictions: needs-root allow-stderr
diff -Nru debian-edu-config-2.12.32/etc/cups/cups-files-debian-edu.conf debian-edu-config-2.12.41~deb12u1/etc/cups/cups-files-debian-edu.conf
--- debian-edu-config-2.12.32/etc/cups/cups-files-debian-edu.conf 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/etc/cups/cups-files-debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -1,4 +1,4 @@
-SystemGroup lpadmin printer-admins
+SystemGroup root lpadmin printer-admins
AccessLog /var/log/cups/access_log
ErrorLog /var/log/cups/error_log
PageLog /var/log/cups/page_log
diff -Nru debian-edu-config-2.12.32/etc/dconf/profile/user debian-edu-config-2.12.41~deb12u1/etc/dconf/profile/user
--- debian-edu-config-2.12.32/etc/dconf/profile/user 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/etc/dconf/profile/user 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,3 @@
+user-db:user
+system-db:local
+system-db:site
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert 2014-12-01 14:47:49.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert 1970-01-01 01:00:00.000000000 +0100
@@ -1,25 +0,0 @@
-#!/bin/sh
-# Make sure LDAP certificate is downloaded when the network become
-# available, if the init.d script failed to fetch it at boot.
-
-if [ -r /etc/debian-edu/config ] ; then
- . /etc/debian-edu/config
-fi
-
-if [ false = "$DHCP_FETCH_LDAP_CERT" ] ; then
- exit 0
-fi
-
-# Avoid dependency loop by not calling init.d script when dhclient is
-# called by init.d/networking. Workaround for BTS issue #754218.
-if [ -d /run/systemd/system ]; then
- systemctl list-jobs | grep -q network.target && exit 0
-fi
-
-case $reason in
- BOUND|RENEW|REBIND|REBOOT)
- /etc/init.d/fetch-ldap-cert start
- ;;
- EXPIRE|FAIL|RELEASE|STOP)
- ;;
-esac
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Make sure the DebianEdu root certificate is downloaded when the network
+# becomes available, if the init system service failed to fetch it at boot.
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Avoid dependency loop by not calling init system service when dhclient is
+# called by init.d/networking. Workaround for BTS issue #754218.
+if [ -d /run/systemd/system ]; then
+ systemctl list-jobs | grep -q network.target && exit 0
+fi
+
+case $reason in
+ BOUND|RENEW|REBIND|REBOOT)
+ /usr/share/debian-edu-config/tools/fetch-rootca-cert
+ ;;
+ EXPIRE|FAIL|RELEASE|STOP)
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/hostname debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/hostname
--- debian-edu-config-2.12.32/etc/dhcp/dhclient-exit-hooks.d/hostname 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhclient-exit-hooks.d/hostname 2023-09-27 22:34:54.000000000 +0200
@@ -19,10 +19,10 @@
. /etc/debian-edu/config
fi
-if echo "$PROFILE" | egrep -q 'Main-Server|Roaming-Workstation|Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Roaming-Workstation|Standalone' ; then
exit 0
else
- if echo "$PROFILE" | egrep -q 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
+ if echo "$PROFILE" | grep -Eq 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
:
fi
fi
diff -Nru debian-edu-config-2.12.32/etc/dhcp/dhcpd-debian-edu.conf debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhcpd-debian-edu.conf
--- debian-edu-config-2.12.32/etc/dhcp/dhcpd-debian-edu.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/dhcp/dhcpd-debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -1,5 +1,5 @@
lease-file-name "/var/lib/dhcp/dhcpd.leases";
-ldap-server "ldap";
+ldap-server "ldap.intern";
ldap-port 389;
ldap-base-dn "dc=skole,dc=skolelinux,dc=no";
ldap-dhcp-server-cn "tjener";
diff -Nru debian-edu-config-2.12.32/etc/exim4/exim-ldap-client-v4.conf debian-edu-config-2.12.41~deb12u1/etc/exim4/exim-ldap-client-v4.conf
--- debian-edu-config-2.12.32/etc/exim4/exim-ldap-client-v4.conf 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/exim4/exim-ldap-client-v4.conf 2023-09-27 22:34:54.000000000 +0200
@@ -13,6 +13,10 @@
LOCALHOST = 127.0.0.1/8
+# intentialnally empty (the default value) in order to prevent
+# constant warning messages in the log file
+keep_environment =
+
# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the RCPT and DATA
# commands, respectively.
diff -Nru debian-edu-config-2.12.32/etc/ifplugd/ifplugd.action debian-edu-config-2.12.41~deb12u1/etc/ifplugd/ifplugd.action
--- debian-edu-config-2.12.32/etc/ifplugd/ifplugd.action 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/ifplugd/ifplugd.action 2023-09-27 22:34:54.000000000 +0200
@@ -30,13 +30,11 @@
$WHEREAMI --syslog --run_from ifplugd --hint $1,$2
else
if [ "$2" = "up" ]; then
- [ -x /etc/init.d/wlan ] && /etc/init.d/wlan up $1
/sbin/ifup $1
exit $?
elif [ "$2" = "down" ]; then
/sbin/ifdown $1
sleep 5
- [ -x /etc/init.d/wlan ] && /etc/init.d/wlan down $1
exit $?
fi
fi
diff -Nru debian-edu-config-2.12.32/etc/insserv/overrides/ntp debian-edu-config-2.12.41~deb12u1/etc/insserv/overrides/ntp
--- debian-edu-config-2.12.32/etc/insserv/overrides/ntp 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/insserv/overrides/ntp 1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-# BTS #585772
-### BEGIN INIT INFO
-# Provides: ntp
-# Required-Start: $network $remote_fs $syslog
-# Required-Stop: $network $remote_fs $syslog
-# Should-Start: $named
-# Default-Start: 2 3 4 5
-# Default-Stop:
-# Short-Description: Start NTP daemon
-### END INIT INFO
diff -Nru debian-edu-config-2.12.32/etc/ldap/rootDSE-debian-edu.ldif debian-edu-config-2.12.41~deb12u1/etc/ldap/rootDSE-debian-edu.ldif
--- debian-edu-config-2.12.32/etc/ldap/rootDSE-debian-edu.ldif 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/ldap/rootDSE-debian-edu.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -1,5 +1,5 @@
# This entry is available using
-# ldapsearch -LLL -h ldap -s base -b '' -x '*' +
+# ldapsearch -LLL -H ldap://ldap -s base -b '' -x '*' +
dn:
objectClass: labeledURIObject
labeledURI: http://www.skolelinux.org/ LDAP for Debian Edu/Skolelinux
diff -Nru debian-edu-config-2.12.32/etc/ntpsec/ntp.d/debian-edu.conf debian-edu-config-2.12.41~deb12u1/etc/ntpsec/ntp.d/debian-edu.conf
--- debian-edu-config-2.12.32/etc/ntpsec/ntp.d/debian-edu.conf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/etc/ntpsec/ntp.d/debian-edu.conf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,2 @@
+server 127.127.1.0 #local clock as fallback
+refclock local stratum 10 #not disciplined
diff -Nru debian-edu-config-2.12.32/etc/X11/Xsession.d/09debian-edu-missing-home debian-edu-config-2.12.41~deb12u1/etc/X11/Xsession.d/09debian-edu-missing-home
--- debian-edu-config-2.12.32/etc/X11/Xsession.d/09debian-edu-missing-home 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/etc/X11/Xsession.d/09debian-edu-missing-home 2023-09-27 22:34:54.000000000 +0200
@@ -4,7 +4,7 @@
# Should not run on Main-Server, Roaming-Workstation and Standalone
if [ -r /etc/debian-edu/config ] ; then
. /etc/debian-edu/config
- if echo "$PROFILE" | egrep -q 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
+ if echo "$PROFILE" | grep -Eq 'Workstation|LTSP-Server|Thin-Client-Server|Minimal' ; then
if [ ! -d $HOME -o / = "$HOME" ] ; then
cat <<EOF | \
xmessage -buttons Understood:0 -timeout 30 -center -file -
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/firstuser.ldif debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/firstuser.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/firstuser.ldif 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/firstuser.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -15,8 +15,8 @@
userPassword: $FIRSTUSERPWDHASH
homeDirectory: /skole/tjener/home0/$FIRSTUSERNAME
loginShell: /bin/bash
-uidNumber: 1000
-gidNumber: 1000
+uidNumber: 2000
+gidNumber: 2000
gecos: $FIRSTUSERGECOS
shadowLastChange: 14818
@@ -25,4 +25,4 @@
objectClass: posixGroup
cn: $FIRSTUSERNAME
description: Group of user $FIRSTUSERNAME
-gidNumber: 1000
+gidNumber: 2000
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/gosa.ldif debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/gosa.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/gosa.ldif 2023-02-06 21:22:13.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/gosa.ldif 2023-09-27 22:34:54.000000000 +0200
@@ -126,6 +126,13 @@
memberUid: $FIRSTUSERNAME
+################### Incoming Arp Devices ##############
+
+dn: ou=incoming,dc=skole,dc=skolelinux,dc=no
+objectClass: organizationalUnit
+ou: incoming
+
+
################### Templates ########################
# Groups and user templates for teachers and students
diff -Nru debian-edu-config-2.12.32/ldap-bootstrap/root.ldif debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/root.ldif
--- debian-edu-config-2.12.32/ldap-bootstrap/root.ldif 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/ldap-bootstrap/root.ldif 2023-11-30 08:36:09.000000000 +0100
@@ -29,7 +29,7 @@
ou: skole
o: skole.skolelinux.no
labeledURI: https://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all/all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r
gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
gosaAclEntry: 3:role:$ADMINROLEDN64:
diff -Nru debian-edu-config-2.12.32/ldap-tools/ldap-createuser-krb5 debian-edu-config-2.12.41~deb12u1/ldap-tools/ldap-createuser-krb5
--- debian-edu-config-2.12.32/ldap-tools/ldap-createuser-krb5 2023-01-30 14:31:55.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/ldap-tools/ldap-createuser-krb5 2023-09-27 22:34:54.000000000 +0200
@@ -5,26 +5,75 @@
# users at the same time to LDAP, as the uid and gid values will
# conflict.
-# The samba related attributes are described in
-# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >
-
set -e
+function usage {
+ cat >&2 <<EOF
+Usage: $0 [-u uid] [-g gid] [-G group[,group]...] [-d department] <username> <gecos>
+ Create a user with a personal group and configure its kerberos
+ principal.
+EOF
+}
+
+if [[ $(id -u) -ne 0 ]]; then
+ printf "error: this script needs to be run as root\n" >&2
+ exit 1
+fi
+
+NEWUID=
+NEWGID=
+ADDITIONAL_GROUPS=
+DEPT=
+while getopts "d:hg:G:u:" arg; do
+ case $arg in
+ d)
+ DEPT="${OPTARG}"
+ ;;
+ g)
+ NEWGID="${OPTARG}"
+ ;;
+ G)
+ ADDITIONAL_GROUPS="${OPTARG}"
+ ;;
+ u)
+ NEWUID="${OPTARG}"
+ ;;
+ h)
+ usage
+ exit 0
+ ;;
+ *)
+ usage
+ exit 2
+ esac
+done
+shift $((OPTIND - 1))
+
USERNAME="$1"
+
# posixAccount only accept ASCII in the gecos attribute. Make sure
# any non-ascii characters are converted apprpropriately.
GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"
-if [ -z "$USERNAME" -o -z "$GECOS" ] ; then
- echo "Usage: $0 <username> <gecos>"
- echo
- echo " Create a user with a personal group and configure its kerberos"
- echo " principal."
+if [[ $# -ne 2 || -z "$USERNAME" || -z "$GECOS" ]]; then
+ usage
exit 1
fi
-# Put users in first gosaDepartment
-BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)
+read -rs -p "new user password: " PASSWORD
+echo
+read -rs -p "confirm password: " CONFIRM
+if [[ "${CONFIRM}" != "${PASSWORD}" ]]; then
+ echo "passwords do not match" >&2
+ exit 1
+fi
+
+if [[ -n $DEPT ]]; then
+ BASE="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=gosaDepartment)(ou:dn:=${DEPT}))" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)"
+else
+ # Put users in first gosaDepartment
+ BASE=$(ldapsearch -x -LLL -o ldif-wrap=no "(objectClass=gosaDepartment)" 2>/dev/null | awk '/^dn: / {print $2}' | sort | head -1)
+fi
if [ -z "$BASE" ] ; then
BASE="$(debian-edu-ldapserver -b)"
@@ -39,48 +88,14 @@
admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')
HOMEDIR=/skole/tjener/home0/$USERNAME
-SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
KRB5DOMAIN=INTERN
-SAMBADOMAIN=SKOLELINUX
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
-# Find last UID/GID
-SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`
-
-if [ -z "$SAMBASID" ] ; then
- echo "error: unable to fetch Samba SID"
- exit 1
-fi
-
-SAMBADOMAINDN=$(ldapsearch -x -s sub \
- "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
- dn 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^dn: / { print $2}')
-
-if [ -z "$SAMBADOMAINDN" ] ; then
- echo "error: unable to find sambaDomain LDAP object"
- exit 1
-fi
-
-SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
- sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^sambaNextRid: / { print $2}')
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=2000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=2000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
-if [ -z "$SAMBARID" ] ; then
- echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
- exit 1
-fi
-
-NEXTRID=$(( $SAMBARID + 1 ))
-
-LASTID=$(ldapsearch -s sub -x \
- '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
- uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
- awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')
-
-# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
+# If no ID was found, use LASTID=2000-1 to get uid/gid=2000
if [ -z "$LASTID" ] ; then
- LASTID=999
+ LASTID=1999
fi
NEWUID=$(( $LASTID + 1 ))
@@ -92,6 +107,8 @@
ldif="$ldif
dn: cn=$USERNAME,$GROUPBASE
+changetype: add
+objectClass: top
objectClass: posixGroup
cn: $USERNAME
description: Private group of user $USERNAME
@@ -99,21 +116,26 @@
"
fi
+USER_PASSWORD="$(slappasswd -h '{CRYPT}' -c '$y$j9T$%.16s$' -T /dev/stdin <<<"${PASSWORD}")"
+
ldif="$ldif
dn: uid=$USERNAME,$USERBASE
+changetype: add
+objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
+objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
-objectClass: sambaSamAccount
+objectClass: krbTicketPolicyAux
sn: $GECOS
givenName: $GECOS
uid: $USERNAME
cn: $GECOS
-userPassword: {SSHA}N0T$3T4N0W
+userPassword: $USER_PASSWORD
homeDirectory: $HOMEDIR
loginShell: /bin/bash
uidNumber: $NEWUID
@@ -123,30 +145,67 @@
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
-sambaSID: $SAMBASID-$SAMBARID
-sambaAcctFlags: [U]
-sambaHomePath: SMBHOMEPATH
+krbPwdPolicyReference: cn=users,cn=${KRB5DOMAIN},cn=kerberos,$(debian-edu-ldapserver -b)
krbPrincipalName: $USERNAME@$KRB5DOMAIN
"
-# Update samba RIN
-ldif="$ldif
-dn: $SAMBADOMAINDN
+oIFS="${IFS}"
+IFS=","
+set -- $ADDITIONAL_GROUPS
+IFS="${oIFS}"
+for group; do
+ group_dn="$(ldapsearch -x -LLL -o ldif-wrap=no "(&(objectClass=posixGroup)(cn=$group))" '')"
+ if [ -z "${group_dn}" ]; then
+ echo "group not found: ${group}" >&2
+ continue
+ fi
+ ldif="$ldif
+
+$group_dn
changetype: modify
-replace: sambaNextRid
-sambaNextRid: $NEXTRID
+add: memberUid
+memberUid: $USERNAME
"
+done
echo "$ldif"
-if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then
+if echo "$ldif" | ldapmodify -ZZ -D "$admindn" -W -v -x ; then
# Set the kerberos password
- kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"
+ kadmin.local <<EOF
+change_password $USERNAME@$KRB5DOMAIN
+${PASSWORD}
+${PASSWORD}
+EOF
# Create home directory
if [ ! -d $HOMEDIR ] ; then
- cp -r /etc/skel $HOMEDIR
- chown -R $NEWUID:$NEWGID $HOMEDIR
+ cp -r /etc/skel $HOMEDIR
+ mkdir -p $HOMEDIR/.pki/nssdb
+ chmod -R 700 $HOMEDIR/.pki/nssdb
+ certutil -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+ chown -R $NEWUID:$NEWGID $HOMEDIR
fi
+
+ # add Samba user
+ smbpasswd -a -n -s $USERNAME
+
+ # Send welcome mail in order to create maildir for dovecot
+ /usr/lib/sendmail "${USERNAME}@postoffice.intern" <<EOF
+Subject: Welcome to the mail-system
+
+Hello $GECOS,
+
+welcome to the mail-system.
+
+Your userID is $USERNAME, and your email address is:
+
+ $USERNAME@postoffice.intern
+
+Regards,
+
+ Debian-Edu SysAdmin
+
+EOF
fi
diff -Nru debian-edu-config-2.12.32/ldap-tools/ldap-debian-edu-install debian-edu-config-2.12.41~deb12u1/ldap-tools/ldap-debian-edu-install
--- debian-edu-config-2.12.32/ldap-tools/ldap-debian-edu-install 2022-10-17 21:55:44.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/ldap-tools/ldap-debian-edu-install 2023-09-27 22:34:54.000000000 +0200
@@ -363,7 +363,7 @@
mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+ chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
echo "info: created PKI nssdb files for first-user"
fi
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-cups-queue-autoflush-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically flush print queues every night if the
+ # host is a member of the cups-queue-autoflush-hosts netgroup.
+ if innetgr -h $hostname cups-queue-autoflush-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoflush
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-cups-queue-autoreenable-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically restart disabled print queues every hour if the
+ # host is a member of the cups-queue-autoreenable-hosts netgroup.
+ if [ -x /usr/share/debian-edu-config/tools/cups-queue-autoreenable ] &&
+ innetgr -h $hostname cups-queue-autoreenable-hosts ; then
+ exec /usr/share/debian-edu-config/tools/cups-queue-autoreenable
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/libexec/debian-edu-fsautoresize-for-netgroup-hosts debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-fsautoresize-for-netgroup-hosts
--- debian-edu-config-2.12.32/libexec/debian-edu-fsautoresize-for-netgroup-hosts 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/libexec/debian-edu-fsautoresize-for-netgroup-hosts 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+[ -x /usr/bin/innetgr ] || exit 0
+
+for hostname in "$(uname -n)" "$(hostname -s)" ; do
+
+ # Automatically extend full LVM volumes if the host is a member of
+ # the fsautoresize-hosts netgroup.
+ if [ -x /usr/sbin/debian-edu-fsautoresize ] &&
+ innetgr -h $hostname fsautoresize-hosts ; then
+ exec debian-edu-fsautoresize -n
+ fi
+
+done
diff -Nru debian-edu-config-2.12.32/Makefile debian-edu-config-2.12.41~deb12u1/Makefile
--- debian-edu-config-2.12.32/Makefile 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/Makefile 2023-09-27 22:34:54.000000000 +0200
@@ -1,11 +1,15 @@
PACKAGE = debian-edu-config
+NULL =
+
PROGS = \
debian-edu-ldapserver \
update-ini-file \
- debian-edu-copy-pki
+ debian-edu-copy-pki \
+ $(NULL)
-SPROGS = debian-edu-fsautoresize \
+SPROGS = \
+ debian-edu-fsautoresize \
debian-edu-ltsp-chroot \
debian-edu-ltsp-install \
debian-edu-ltsp-initrd \
@@ -14,31 +18,41 @@
debian-edu-restart-services \
debian-edu-test-install \
debian-edu-update-netblock \
- update-hostname-from-ip
-
-INSTALL = install -D -p -m 755
-INSTALL_DATA= install -D -p -m 644
+ update-hostname-from-ip \
+ $(NULL)
-prefix = /usr/local
-sysconfdir = /etc
-cf3dir = $(sysconfdir)/cfengine3/debian-edu
-bindir = $(prefix)/bin
-sbindir = $(prefix)/sbin
-docdir = $(prefix)/share/doc/$(PACKAGE)
-mandir = $(prefix)/share/man
-ldapdir = $(sysconfdir)/ldap
+LIBEXECPROGS = \
+ debian-edu-cups-queue-autoflush-for-netgroup-hosts \
+ debian-edu-cups-queue-autoreenable-for-netgroup-hosts \
+ debian-edu-fsautoresize-for-netgroup-hosts \
+ $(NULL)
+
+INSTALL = install -D -p -m 755
+INSTALL_DATA = install -D -p -m 644
+
+prefix = /usr/local
+sysconfdir = /etc
+cf3dir = $(sysconfdir)/cfengine3/debian-edu
+bindir = $(prefix)/bin
+sbindir = $(prefix)/sbin
+docdir = $(prefix)/share/doc/$(PACKAGE)
+mandir = $(prefix)/share/man
+ldapdir = $(sysconfdir)/ldap
slbackupphpdir = $(sysconfdir)/slbackup-php
-schemadir = $(ldapdir)/schema
-dhcpdir = $(sysconfdir)/dhcp
-libdir = /usr/lib
-pkglibdir = $(libdir)/debian-edu-config
-vardir = /var
-wwwdir = /etc/debian-edu/www
+schemadir = $(ldapdir)/schema
+dhcpdir = $(sysconfdir)/dhcp
+libdir = /usr/lib
+pkglibdir = $(libdir)/debian-edu-config
+libexecdir = /usr/libexec
+pkglibexecdir = $(libexecdir)/debian-edu-config
+vardir = /var
+wwwdir = /etc/debian-edu/www
CF3FILES = \
cf.adduser \
cf.apache2 \
+ cf.cfengine3 \
cf.cups \
cf.desktop-networked \
cf.dhcpserver \
@@ -54,6 +68,7 @@
cf.ldapserver \
cf.ldapclient \
cf.bind \
+ cf.pam \
cf.pxeinstall \
cf.ntp \
cf.samba \
@@ -64,7 +79,8 @@
cf.xrdp \
cf.icinga \
edu.cf \
- promises.cf
+ promises.cf \
+ $(NULL)
# Files to install in /etc/
SYSCONFFILES = \
@@ -80,6 +96,7 @@
X11/Xsession.d/09debian-edu-missing-home \
X11/Xsession.d/10debian-edu-one-login-per-host \
X11/Xsession.d/55lightdm_gtk-greeter-rc \
+ dconf/profile/user \
debian-edu/nightkill.conf \
debian-edu/pxeinstall.conf \
default/munin-node \
@@ -98,7 +115,6 @@
filesystems \
firefox-esr/debian-edu.js \
php/apache2/php-debian-edu.ini \
- insserv/overrides/ntp \
ldap/rootDSE-debian-edu.ldif \
ldap/slapd-debian-edu-mdb.conf \
samba/smb-debian-edu.conf \
@@ -130,18 +146,21 @@
nagios3/debian-edu/service_templates.cfg \
nagios3/debian-edu/timeperiods.cfg \
munin/debian-edu-munin-node.conf \
- polkit-1/localauthority.conf.d/80-edu-admin.conf
+ polkit-1/localauthority.conf.d/80-edu-admin.conf \
+ ntpsec/ntp.d/debian-edu.conf \
+ $(NULL)
SYSCONFSCRIPTS = \
dhcp/dhclient-exit-hooks.d/autofs-reload \
dhcp/dhclient-exit-hooks.d/wpad-proxy-update \
- dhcp/dhclient-exit-hooks.d/fetch-ldap-cert \
+ dhcp/dhclient-exit-hooks.d/fetch-rootca-cert \
dhcp/dhclient-exit-hooks.d/hostname \
mklocaluser.d/20-debian-edu-config \
shutdown-at-night/clients-generator \
resolvconf/update.d/bind-debian-edu \
wicd/scripts/preconnect/set_wireless_mac_from_eth0 \
- X11/Xsession-debian-edu
+ X11/Xsession-debian-edu \
+ $(NULL)
SCHEMAS = \
autofs-debian-edu.schema \
@@ -162,7 +181,8 @@
gosa-samba3.schema \
gofax.schema \
goserver.schema \
- goto-mime.schema
+ goto-mime.schema \
+ $(NULL)
LDIFS = \
root.ldif \
@@ -175,7 +195,8 @@
krb5.ldif \
ltsp.ldif \
gosa.ldif \
- gosa-server.ldif
+ gosa-server.ldif \
+ $(NULL)
LDAPPROGRAMS = \
ldap-add-host-to-netgroup \
@@ -183,7 +204,8 @@
ldap-createuser-krb5 \
ldap2netgroup \
ldap-debian-edu-install \
- sitesummary2ldapdhcp
+ sitesummary2ldapdhcp \
+ $(NULL)
WWWFILES = \
index.html.ca \
@@ -204,10 +226,12 @@
index.html.zh-tw \
skl-ren_css.css \
logo-trans.png \
- wpad.dat
+ wpad.dat \
+ $(NULL)
LIBFILES = \
thunderbird/distribution/policies.json \
+ $(NULL)
all:
$(MAKE) -C www
@@ -219,6 +243,7 @@
install -d $(DESTDIR)$(ldapdir)
install -d $(DESTDIR)$(dhcpdir)
install -d $(DESTDIR)$(libdir)
+ install -d $(DESTDIR)$(pkglibexecdir)
# program's manpages are autodetected.
set -e ; for prog in $(PROGS); do \
@@ -237,6 +262,10 @@
fi \
done
+ set -e ; for libexecprog in $(LIBEXECPROGS); do \
+ $(INSTALL) libexec/$$libexecprog $(DESTDIR)$(pkglibexecdir) ; \
+ done
+
$(INSTALL_DATA) README $(DESTDIR)$(docdir)/README
$(INSTALL_DATA) README.public_html_with_PHP-CGI+suExec.md $(DESTDIR)$(docdir)/README.public_html_with_PHP-CGI+suExec.md
@@ -263,7 +292,6 @@
share/debian-edu-config/killer.cron \
share/debian-edu-config/tools/passwd \
share/debian-edu-config/tools/clean-up-host-keytabs \
- share/debian-edu-config/tools/configure-edu-gateway \
share/debian-edu-config/tools/create-debian-edu-certs \
share/debian-edu-config/tools/create-server-cert \
share/debian-edu-config/tools/cups-queue-autoflush \
@@ -321,6 +349,10 @@
share/debian-edu-config/tools/copy-host-keytab \
share/debian-edu-config/tools/improve-desktop-l10n \
share/debian-edu-config/tools/install-task-pkgs \
+ share/debian-edu-config/tools/chromium-ldapconf \
+ share/debian-edu-config/tools/firefox-ldapconf \
+ share/debian-edu-config/tools/nat \
+ share/debian-edu-config/tools/fetch-rootca-cert \
; do \
$(INSTALL) $$f $(DESTDIR)/usr/$$f ; \
done
@@ -330,6 +362,7 @@
set -e ; for f in \
share/debian-edu-config/avahi.smb.service \
share/debian-edu-config/rsyslog-collector \
+ share/debian-edu-config/rsyslog-filters \
share/debian-edu-config/smb.conf.edu-site \
share/debian-edu-config/firefox-networked-prefs.js \
share/debian-edu-config/squid.conf \
@@ -387,9 +420,9 @@
$(INSTALL_DATA) $$f $(DESTDIR)/usr/$$f ; \
done
- install -d $(DESTDIR)$(pkglibdir)/testsuite
+ install -d $(DESTDIR)$(pkglibexecdir)/testsuite
set -e ; for test in testsuite/* ; do \
- $(INSTALL) $$test $(DESTDIR)$(pkglibdir)/$$test; \
+ $(INSTALL) $$test $(DESTDIR)$(pkglibexecdir)/$$test; \
done
diff -Nru debian-edu-config-2.12.32/README debian-edu-config-2.12.41~deb12u1/README
--- debian-edu-config-2.12.32/README 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/README 2023-09-27 22:34:54.000000000 +0200
@@ -277,7 +277,7 @@
- use _ldap._tcp SRV record to find LDAP server
- use ldap "root" object to find LDAP tree info (like AD
defaultNamingContext attribute)
- "ldapsearch -x -s base -h $server -b '' -x '*'"
+ "ldapsearch -x -s base -H ldap://$server -b '' -x '*'"
- subnet three with relevant information? AD have subtree
"CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
objects.
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-ltsp-install debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-ltsp-install
--- debian-edu-config-2.12.32/sbin/debian-edu-ltsp-install 2023-03-27 20:36:55.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-ltsp-install 2023-09-27 22:34:54.000000000 +0200
@@ -22,6 +22,35 @@
set -e
+select_desktop () {
+ # select the first found desktop as the default, based on what x2goclient
+ # (src/onmainwindow.cpp) and x2goserver (x2goserver/bin/x2goruncommand)
+ # support
+ if [ -x /usr/bin/startxfce4 ]; then # from xfce4-session
+ echo XFCE
+ # FIXME x2goclient and x2goserver (x2goruncommand) in Debian only support
+ # startkde which does not exist any more (#955128)
+ #elif [ -x /usr/bin/startplasma-x11 ]; then # from plasma-workspace
+ # echo KDE
+ elif [ -x /usr/bin/gnome-session ]; then # from gnome-session-bin
+ echo GNOME
+ elif [ -x /usr/bin/mate-session ]; then # from mate-session
+ echo MATE
+ elif [ -x /usr/bin/startlxde ]; then # from openbox-lxde-session
+ echo LXDE
+ elif [ -x /usr/bin/startlxqt ]; then # from lxqt-session
+ echo LXQT
+ elif [ -x /usr/bin/cinnamon-session-cinnamon2d ]; then # from cinnamon
+ echo CINNAMON
+ elif [ -x /usr/bin/openbox-session ]; then # from openbox
+ echo OPENBOX
+ elif [ -x /usr/bin/icewm-session ]; then # from icewm
+ echo ICEWM
+ else
+ echo XFCE
+ fi
+}
+
# usage
if [ -z "$1" ] ; then
echo "Use $0 -h or $0 --help for more information"
@@ -33,7 +62,7 @@
Usage information:
-debian-edu-ltsp-install --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop> --dlw <yes|no> --img <yes|no> --desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|none>
+debian-edu-ltsp-install --arch <amd64|i386> --dist <stable|testing|sid> --dns_server <10.0.2.2|dns server ip> --diskless_workstation <yes|no> --thin_type <bare|display|desktop> --dlw <yes|no> --img <yes|no> --desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|none> --x2go_desktop <xfce|cinnamon|gnome|kde|lxde|lxqt|mate|openbox|icewm>
Turn a Debian Edu workstation into an LTSP server for both diskless
workstations and thin clients.
@@ -54,6 +83,11 @@
Other values: cinnamon, gnome, kde, lxde, lxqt, mate.
(And 'none' for modular installations - also useful for testing).
+--x2go_desktop takes effect for X2Go thin client setup, default is any
+ of the installed desktop environments
+ Other values: cinnamon, gnome, kde, lxde, lxqt, mate, openbox,
+ icewm
+
--thin_type has no default value. These are available:
bare: preconfigured x2go client running via 'startx' as user 'thin' with sound and
client side mass storage support.
@@ -100,6 +134,7 @@
dlw="no"
img="yes"
desktop="xfce"
+x2go_desktop="$(select_desktop)"
while [ $# -gt 0 ] ; do
case "$1" in
@@ -111,6 +146,9 @@
--dlw) dlw="$2" ; shift ;;
--img) img="$2" ; shift ;;
--desktop) desktop="$2" ; shift ;;
+ --x2go_dektop)
+ x2go_desktop="$(printf '%s\n' "$2" | tr '[:lower:]' '[:upper:]')"
+ shift ;;
--version) echo $version; exit 0 ;;
esac
shift
@@ -364,7 +402,7 @@
[default]
autologin=false
clipboard=both
-command=XFCE
+command=$x2go_desktop
defsndport=true
directrdp=false
directrdpsettings=
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-pxeinstall debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-pxeinstall
--- debian-edu-config-2.12.32/sbin/debian-edu-pxeinstall 2023-02-26 10:08:55.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-pxeinstall 2023-09-27 22:34:54.000000000 +0200
@@ -247,7 +247,7 @@
choose-mirror-bin mirror/http/directory string /debian
EOF
else
- debconf-get-selections --installer | egrep -w 'mirror/http/mirror|mirror/country|mirror/protocol|mirror/http/hostname|mirror/http/directory|mirror/ftp/hostname|mirror/ftp/directory' | sort
+ debconf-get-selections --installer | grep -Ew 'mirror/http/mirror|mirror/country|mirror/protocol|mirror/http/hostname|mirror/http/directory|mirror/ftp/hostname|mirror/ftp/directory' | sort
fi
# Make it easier to have local overrides and still be able to
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-restart-services debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-restart-services
--- debian-edu-config-2.12.32/sbin/debian-edu-restart-services 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-restart-services 2023-09-27 22:34:54.000000000 +0200
@@ -5,63 +5,116 @@
set -e
-echo "info: Stopping services in sequence."
-for ALL in /etc/rc1.d/K* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Stopping $SERVICE"
- $ALL stop || /bin/true
-done
-
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
+sysvinit_restart_services () {
+ echo "info: Stopping services in sequence."
+ for ALL in /etc/rc1.d/K* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Stopping $SERVICE"
+ $ALL stop || /bin/true
+ done
+
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending HUP."
+ pkill $service || /bin/true
+ fi
+ done
+
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
+
+ for service in \
+ slapd \
+ rpcbind \
+ apache \
+ ;
+ do
+ if [ "$(pidof $service)" ] ; then
+ echo "info: '$service' still running, sending KILL."
+ pkill -9 $service || /bin/true
+ fi
+ done
+
+ echo "info: Checking what's still running"
+ ps aux | while read LINE ; do
+ echo "info: $LINE"
+ done
+
+ echo "Info: Restarting networking"
+ /etc/init.d/networking restart || /bin/true
+
+ echo "info: Starting services in sequence."
+ for ALL in /etc/rc2.d/S* ; do
+ if [ -h $ALL ] ; then
+ SERVICE=$(basename $(readlink $ALL))
+ else
+ SERVICE=$(basename $ALL)
+ fi
+ echo "info: Starting $SERVICE"
+ $ALL start || /bin/true
+ done
+}
+
+systemd_restart_services () {
+ systemctl daemon-reload
+
+ systemctl restart networking.service
+
+ for service in \
+ apache2.service \
+ cups.service \
+ dovecot.service \
+ exim4.service \
+ icinga2.service \
+ inetd.service \
+ isc-dhcp-server.service \
+ krb5-admin-server.service \
+ krb5-kdc.service \
+ ltsp.service \
+ mariadb.service \
+ munin-node.service \
+ munin.service \
+ nagios-nrpe-server.service \
+ named.service \
+ nfs-server.service \
+ nmbd.service \
+ nscd.service \
+ nslcd.service \
+ ntpsec.service \
+ rsyslog.service \
+ sitesummary-client.service \
+ slapd.service \
+ smbd.service \
+ squid.service \
+ sudo-ldap.service \
+ tftpd-hpa.service \
+ x2goserver.service \
+ xrdp.service \
+ xrdp-sesman.service
do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending HUP."
- pkill $service || /bin/true
- fi
-done
-
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
-
-for service in \
- slapd \
- rpcbind \
- apache \
- ;
- do
- if [ "$(pidof $service)" ] ; then
- echo "info: '$service' still running, sending KILL."
- pkill -9 $service || /bin/true
- fi
-done
-
-echo "info: Checking what's still running"
-ps aux | while read LINE ; do
- echo "info: $LINE"
-done
-
-echo "Info: Restarting networking"
-/etc/init.d/networking restart || /bin/true
-
-echo "info: Starting services in sequence."
-for ALL in /etc/rc2.d/S* ; do
- if [ -h $ALL ] ; then
- SERVICE=$(basename $(readlink $ALL))
- else
- SERVICE=$(basename $ALL)
- fi
- echo "info: Starting $SERVICE"
- $ALL start || /bin/true
-done
+ if systemctl is-active --quiet $service; then
+ active="$active $service"
+ fi
+ done
+ systemctl stop $active || true
+ systemctl start $active
+}
+
+if [ -e /run/systemd/system/ ]; then
+ systemd_restart_services
+else
+ sysvinit_restart_services
+fi
exit 0
diff -Nru debian-edu-config-2.12.32/sbin/debian-edu-test-install debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-test-install
--- debian-edu-config-2.12.32/sbin/debian-edu-test-install 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/sbin/debian-edu-test-install 2023-09-27 22:34:54.000000000 +0200
@@ -5,7 +5,7 @@
# Make sure strings and dates have predictable format
LC_ALL=C
-basedir=/usr/lib/debian-edu-config/testsuite
+basedir=/usr/libexec/debian-edu-config/testsuite
cd $basedir
diff -Nru debian-edu-config-2.12.32/sbin/update-hostname-from-ip debian-edu-config-2.12.41~deb12u1/sbin/update-hostname-from-ip
--- debian-edu-config-2.12.32/sbin/update-hostname-from-ip 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/sbin/update-hostname-from-ip 2023-09-27 22:34:54.000000000 +0200
@@ -110,22 +110,22 @@
fi
if [ "$IP" ] ; then
- HOSTNAME=$(ip2hostname $IP)
+ MY_HOSTNAME=$(ip2hostname $IP)
SOURCE="reverse DNS of $IP"
fi
-if $USEMAC && [ -z "$HOSTNAME" ] ; then
- HOSTNAME=$(ether2hostname $MAC)
+if $USEMAC && [ -z "$MY_HOSTNAME" ] ; then
+ MY_HOSTNAME=$(ether2hostname $MAC)
SOURCE="hardware MAC address"
fi
-if [ "$HOSTNAME" ]; then
+if [ "$MY_HOSTNAME" ]; then
if $onlyprint ; then
- echo $HOSTNAME
+ echo $MY_HOSTNAME
else
# Already got the correct host name?
- if [ "$HOSTNAME" != "$(uname -n)" ] ; then
- sethostname "$HOSTNAME" "$SOURCE"
+ if [ "$MY_HOSTNAME" != "$(uname -n)" ] ; then
+ sethostname "$MY_HOSTNAME" "$SOURCE"
fi
fi
else
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/d-i/finish-install debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/d-i/finish-install
--- debian-edu-config-2.12.32/share/debian-edu-config/d-i/finish-install 2023-02-15 15:13:06.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/d-i/finish-install 2023-09-27 22:34:54.000000000 +0200
@@ -135,7 +135,7 @@
mountpoints="$(grep " /target" /proc/mounts | cut -d" " -f2 | sed s%/target%%g)"
LANG=C chroot /target fuser -mv $mountpoints 2>&1 | sed 's/^/info: /'
-if LANG=C chroot /target fuser -mv $mountpoints 2>&1 | egrep -qv 'USER|mount |Cannot open ' ; then
+if LANG=C chroot /target fuser -mv $mountpoints 2>&1 | grep -Eqv 'USER|mount |Cannot open ' ; then
log "error: some processes blocking d-i from umounting /target/"
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/d-i/pre-pkgsel debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/d-i/pre-pkgsel
--- debian-edu-config-2.12.32/share/debian-edu-config/d-i/pre-pkgsel 2023-02-13 16:25:44.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/d-i/pre-pkgsel 2023-11-30 08:36:09.000000000 +0100
@@ -25,7 +25,7 @@
fi
# Default hostname is 'localhost'
- HOSTNAME=localhost
+ MY_HOSTNAME=localhost
# Default DNS server is tjener.intern
NAMESERVER=10.0.2.2
@@ -55,7 +55,7 @@
autoeth1=""
DNSDOMAIN=
MAILNAME=
- HOSTNAME=
+ MY_HOSTNAME=
eth0uuid=$(chroot /target uuid)
mkdir -p /target/etc/NetworkManager/system-connections
cat > /target/etc/NetworkManager/system-connections/eth0 <<EOF
@@ -80,7 +80,7 @@
autoeth1=""
DNSDOMAIN=
MAILNAME=
- HOSTNAME=
+ MY_HOSTNAME=
;;
Workstation)
# Use this unless Server also was choosen.
@@ -94,7 +94,7 @@
Main-Server)
# Override for workstations combining as servers
eth0=10.0.2.2:255.0.0.0:10.255.255.255:10.0.0.1
- HOSTNAME=tjener.intern
+ MY_HOSTNAME=tjener.intern
NAMESERVER=127.0.0.1
autoeth0="auto eth0"
;;
@@ -121,12 +121,6 @@
auto lo
iface lo inet loopback
EOF
- if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
- cat >> $interfaces <<EOF
- dns-search $DNSDOMAIN
- dns-nameservers $NAMESERVER
-EOF
- fi
for interface in eth0 eth1 ; do
eval "ifinfo=\$$interface"
@@ -159,6 +153,12 @@
gateway $gateway
EOF
fi
+ if [ "$DNSDOMAIN" ] && [ "$NAMESERVER" = "127.0.0.1" ] ; then
+ cat >> $interfaces <<EOF
+ dns-search $DNSDOMAIN
+ dns-nameservers $NAMESERVER
+EOF
+ fi
cat >> $interfaces <<EOF
# The commented lines below is to be used if a DHCP server is in use
#iface $interface inet dhcp
@@ -179,9 +179,9 @@
echo "ff02::3 ip6-allhosts"
) > /target/etc/hosts
- if [ ! -z "$HOSTNAME" ] ; then
- echo "$HOSTNAME" > /target/etc/hostname
- in-target /bin/hostname "$HOSTNAME"
+ if [ ! -z "$MY_HOSTNAME" ] ; then
+ echo "$MY_HOSTNAME" > /target/etc/hostname
+ in-target /bin/hostname "$MY_HOSTNAME"
fi
# Update hostname based on reverse DNS entry of current IP or
@@ -195,7 +195,7 @@
# Avoid hardcoding entries on the clients, to make sure IP address
# range can be changed on the clients by changing DHCP
# configuration on the server.
- if [ "tjener.intern" = "$HOSTNAME" ] ; then
+ if [ "tjener.intern" = "$MY_HOSTNAME" ] ; then
(
echo
echo "10.0.2.2 tjener.intern tjener"
@@ -269,8 +269,8 @@
create_initial_localadmin_user() {
LOCAL_USER_ID="localadmin"
LOCAL_USER_GECOS="Local Administrator"
- LOCAL_USER_UIDNUMBER="500"
- LOCAL_USER_PRIMGIDNUMBER="500"
+ LOCAL_USER_UIDNUMBER="1000"
+ LOCAL_USER_PRIMGIDNUMBER="1000"
LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/gosa.conf.template debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/gosa.conf.template
--- debian-edu-config-2.12.32/share/debian-edu-config/gosa.conf.template 2023-02-06 10:30:29.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/gosa.conf.template 2023-11-30 08:36:09.000000000 +0100
@@ -346,7 +346,7 @@
sendCompressedOutput="true"
modificationDetectionAttribute="entryCSN"
language=""
- theme="default"
+ theme="classic"
sessionLifetime="7200"
templateCompileDirectory="/var/spool/gosa"
debugLevel="0"
@@ -361,8 +361,8 @@
userRDN="ou=people"
groupRDN="ou=group"
netgroupRDN="ou=netgroup"
- gidNumberBase="1000"
- uidNumberBase="1000"
+ gidNumberBase="2000"
+ uidNumberBase="2000"
loginAttribute="uid"
timezone="Etc/UTC"
honourUnitTags="false"
@@ -376,7 +376,7 @@
mailUserCreation=""
mailFolderCreation=""
imapTimeout="10"
- ldapTLS="true"
+ ldapTLS="false"
honourIvbbAttributes="false"
enableSnapshots="false"
snapshotBase="ou=snapshots,dc=skole,dc=skolelinux,dc=no"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/pam-nopwdchange.py debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/pam-nopwdchange.py
--- debian-edu-config-2.12.32/share/debian-edu-config/pam-nopwdchange.py 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/pam-nopwdchange.py 2023-09-27 22:34:54.000000000 +0200
@@ -30,7 +30,7 @@
user = pamh.get_user(None)
userinfo = pwd.getpwnam(user)
uid = userinfo[2]
- if 1000 <= uid:
+ if 2000 <= uid:
text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
pamh.conversation(msg)
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/rsyslog-filters debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/rsyslog-filters
--- debian-edu-config-2.12.32/share/debian-edu-config/rsyslog-filters 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/rsyslog-filters 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,2 @@
+# discard excessive nullmailer logging (#1003728)
+:programname, isequal, "nullmailer-send" stop
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/chromium-ldapconf debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/chromium-ldapconf
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/chromium-ldapconf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/chromium-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Chromium configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-chromium-homepage ldap:homepage \;
+ fi
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/configure-edu-gateway debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/configure-edu-gateway
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/configure-edu-gateway 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/configure-edu-gateway 1970-01-01 01:00:00.000000000 +0100
@@ -1,111 +0,0 @@
-#!/bin/sh
-#
-# Configure a Debian Edu system with 'Minimal' profile' to act as as gateway.
-
-# The configuration below applies to a Debian Edu machine in the internal
-# backbone network with two NICs, the eth0 interface attached to an existing
-# router and the eth1 one attached to the backbone network 10.0.0.0/8.
-#
-# Author/Copyright: Wolfgang Schweer <wschweer@arcor.de>
-# Licence: GPL2+
-# first edited: 2020-04-17
-# last edited: 2021-10-22
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-set -e
-
-# usage
-if [ -z "$1" ] ; then
- echo "Use $0 -h or $0 --help for more information"
- exit 0
-fi
-
-if [ "$1" = "-h" ] || [ "$1" = "--help" ] ; then
- cat <<EOF
-
-Usage information:
-
-$0 --firewall <yes|no>
-
-Turn a Debian Edu system with profile 'Minimal' into a gateway.
-
-'$0 --firewall no' configures this system as gateway.
-
-'$0 --firewall yes' installs the 'shorewall' package in addition and
- configures this system also as a firewall.
- See https://shorewall.org/two-interface.htm#System for detailed information.
-EOF
- exit 0
-fi
-
-# Prevent to do this more than one time
-if ! grep -Eq 10.0.0.0 /etc/default/enable-nat ; then
- sed -i 's/auto eth0/auto eth0 eth1/' /etc/network/interfaces
- sed -i '/eth1/ s/dhcp/static/' /etc/network/interfaces
- sed -i '/post-up/d' /etc/network/interfaces
- echo 'address 10.0.0.1' >> /etc/network/interfaces
- echo 'dns-nameservers 10.0.2.2' >> /etc/network/interfaces
- echo 'dns-domain intern' >> /etc/network/interfaces
- hostname -b gateway
- hostname > /etc/hostname
- rm -f /etc/dhcp/dhclient-exit-hooks.d/hostname
- rm -f /etc/dhcp/dhclient-exit-hooks.d/wpad-proxy-update
- rm -f /etc/dhcp/dhclient-exit-hooks.d/fetch-ldap-cert
- rm -f /etc/network/if-up.d/wpad-proxy-update
- sed -i 's/domain-name,//' /etc/dhcp/dhclient-debian-edu.conf
- sed -i 's/domain-search,//' /etc/dhcp/dhclient-debian-edu.conf
- sed -i 's#NAT=#NAT="10.0.0.0/8"#' /etc/default/enable-nat
- echo ""
- echo "The system has been configured as gateway."
- echo ""
-else
- echo ""
- echo "The system has already been configured as gateway."
- echo ""
-fi
-
-# Optionally install, configure, enable and start shorewall.
-if [ "yes" = "$2" ] && [ ! -d /etc/shorewall ] ; then
- echo ""
- echo "Now setting up shorewall like requested."
- echo ""
- if grep -q / /etc/debian_version ; then
- dist=$(cat /etc/debian_version | cut -d/ -f1)
- else
- dist=$(lsb_release -sc)
- fi
- if egrep -q '^deb cdrom:' /etc/apt/sources.list ; then
- sed -i 's/deb cdrom/#deb cdrom/' /etc/apt/sources.list
- echo "deb http://deb.debian.org/debian $dist main" >> /etc/apt/sources.list
- fi
- apt update
- apt -yq install shorewall
- for i in interfaces policy rules snat stoppedrules zones ; do
- cp /usr/share/doc/shorewall/examples/two-interfaces/$i /etc/shorewall
- done
- echo "NET_IF=eth0" >> /etc/shorewall/params
- echo "NET_OPTIONS=routefilter,norfc1918" >> /etc/shorewall/params
- systemctl enable shorewall
- systemctl start shorewall
-fi
-
-# Give feedback
-if [ -e /etc/shorewall/snat ] ; then
- echo ""
- echo "Shorewall has been configured for the two-interfaces setup on this system."
- echo ""
- echo "See https://shorewall.org/two-interface.htm#System for detailed information."
- echo ""
-fi
-echo
-echo "Configuration finished. Please reboot the system to activate the changes."
-echo
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/edu-icinga-setup debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/edu-icinga-setup
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/edu-icinga-setup 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/edu-icinga-setup 2023-09-27 22:34:54.000000000 +0200
@@ -34,6 +34,11 @@
# run 'mysql_secure_installation'.)
setup_icinga() {
+ # Generate random password (alphanumeric ASCII characters only in order
+ # to avoid problems with quoting below)
+ password="$(LC_ALL=C tr -cd '[:alnum:]' < /dev/urandom | dd bs=1 count=16 2>/dev/null)"
+ [ -n "${password}" ] || exit 1
+
# Delete anonymous users
mysql -e "DELETE FROM mysql.user WHERE User='';"
# Ensure the root user can not log in remotely
@@ -55,7 +60,7 @@
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
ON icingadb.*
TO 'icinga2'@'localhost'
- IDENTIFIED BY 'v64nhbe27dfBjR3T';
+ IDENTIFIED BY '${password}';
FLUSH PRIVILEGES;
"
# Install the MySQL schema required for the Icinga 2 database
@@ -63,12 +68,24 @@
# Adjust the Icinga 2 MySQL IDO configuration
#sed -i "/user/ s%icinga2%$FIRSTUSERNAME%" "/etc/icinga2/features-available/ido-mysql.conf"
- sed -i "/password/ s%\".*\"%\"v64nhbe27dfBjR3T\"%" "/etc/icinga2/features-available/ido-mysql.conf"
+ sed -i "/password/s/.*/ password = \"${password}\",/" /etc/icinga2/features-available/ido-mysql.conf
sed -i '/database/ s%icinga2%icingadb%' /etc/icinga2/features-available/ido-mysql.conf
# Enable ido-mysql feature
icinga2 feature enable ido-mysql
+ # Create Icinga Web 2 database
+ mysql <<< "
+ CREATE DATABASE icingaweb2;
+ GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE
+ ON icingaweb2.*
+ TO 'icingaweb2'@'localhost'
+ IDENTIFIED BY '${password}';
+ FLUSH PRIVILEGES;
+ "
+ # Install the MySQL schema required for the Icinga Web 2 database
+ mysql icingaweb2 < /usr/share/icingaweb2/schema/mysql.schema.sql
+
# Add icinga2 configuration files (content gathered from manual setup procedure)
#
# authentication.ini
@@ -82,12 +99,13 @@
domain = ""
resource = "icingaweb_ldap"
EOF
+
# config.ini
cat <<- EOF > /etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
- config_backend = "ini"
+ config_resource = "icingaweb_db"
[logging]
log = "file"
@@ -127,6 +145,17 @@
bind_pw = ""
timeout = "5"
+ [icingaweb_db]
+ type = "db"
+ db = "mysql"
+ host = "localhost"
+ port = ""
+ dbname = "icingaweb2"
+ username = "icingaweb2"
+ password = "${password}"
+ charset = ""
+ use_ssl = "0"
+
[icinga_ido]
type = "db"
db = "mysql"
@@ -134,7 +163,7 @@
port = ""
dbname = "icingadb"
username = "icinga2"
- password = "v64nhbe27dfBjR3T"
+ password = "${password}"
charset = ""
use_ssl = "0"
EOF
@@ -165,11 +194,8 @@
EOF
# Adjusts rights to get the web interface working
- chmod 660 /etc/icingaweb2/*.ini
- chmod g+rwx /etc/icingaweb2/enabledModules/
- chmod g+rwx /etc/icingaweb2/modules/monitoring/
- chmod o+x /etc/icingaweb2/modules/monitoring/
- chmod 660 /etc/icingaweb2/modules/monitoring/*.ini
+ find /etc/icingaweb2/ -type f -name '*.ini' -exec chmod 660 {} +
+ find /etc/icingaweb2/ -type d -exec chmod 775 {} +
# Create icingaweb2 log directory
mkdir -p /var/log/icingaweb2/
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/fetch-rootca-cert debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/fetch-rootca-cert
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/fetch-rootca-cert 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/fetch-rootca-cert 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Fetches Debian Edu rootCA certificate from the main server
+#
+# Author: Wolfgang Schweer, <wschweer@arcor.de>
+# Date: 2020-02-14
+#
+
+if [ -r /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+BUNDLECRT=/etc/ssl/certs/debian-edu-bundle.crt
+ROOTCACRT=/etc/ssl/certs/Debian-Edu_rootCA.crt
+LOCALCACRT=/usr/local/share/ca-certificates/Debian-Edu_rootCA.crt
+
+# Remove no longer used certificate file
+rm -f $BUNDLECRT
+
+# RootCA cert retrieval (avoid execution on the main server, things are in place)
+case $PROFILE in
+*Main-Server*)
+ logger -t fetch-rootca-cert "Running on the main server, exiting."
+ exit 0
+ ;;
+esac
+
+if [ -f $LOCALCACRT ] && [ -s $LOCALCACRT ] ; then
+ # The cert file already exists, nothing to do.
+ exit 0
+fi
+
+if [ -z "$(dig +short A www.intern)" ] ; then
+ # If the main server is not resolvable, we are not part of a DebianEdu
+ # network, no need to report an error.
+ exit 0
+fi
+
+# Since Debian Edu 10, the RootCA file is distributed
+# over http (always via the host serving www.intern, by default: TJENER)
+#
+# We do an availability check for the webserver first, to provide proper
+# error reporting (see below). So, the following check merely discovers,
+# if the webserver is online at all.
+if curl -sfk --head -o /dev/null https://www.intern 2>/dev/null; then
+ # Now let's see if the webserver has the "Debian Edu RootCA" file.
+ # This has been the case for Debian Edu main servers (TJENER) since
+ # Debian Edu 10.1.
+ if curl -fk https://www.intern/Debian-Edu_rootCA.crt > $LOCALCACRT 2>/dev/null && \
+ grep -q CERTIFICATE $LOCALCACRT ; then
+ # Make rootCA certificate available in /etc/ssl/certs/
+ ln -nsf $LOCALCACRT $ROOTCACRT
+ # Integrate the rootCA certificate into /etc/ssl/certs/ca-certificates
+ update-ca-certificates
+ logger -t fetch-rootca-cert "Deploy the Debian Edu rootCA certificate fetched from www.intern systemwide."
+ else
+ # Drop $ROOTCACRT and $LOCALCACRT files, as they probably only contain some
+ # 404 http error message in html.
+ rm -f $LOCALCACRT
+ rm -f $ROOTCACRT
+ logger -t fetch-rootca-cert "Failed to fetch rootCA certificate from www.intern."
+ fi
+else
+ # Report an error, if www.intern is down http-wise. This can happen and is probably
+ # a temporary problem that needs an admin to fix it.
+ logger -t fetch-rootca-cert "Failed to connect to www.intern, maybe the web server is down."
+ exit 1
+fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/firefox-ldapconf debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/firefox-ldapconf
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/firefox-ldapconf 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/firefox-ldapconf 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+# Update Firefox configuration from LDAP
+#
+
+if [ -e /etc/debian-edu/config ] ; then
+ . /etc/debian-edu/config
+fi
+
+# Only networked profiles use LDAP
+case $PROFILE in
+ *Main-Server*|*Workstation*|*LTSP-Server*|*Thin-Client-Server*|*Minimal*)
+ /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage
+ ;;
+esac
+
+case $PROFILE in
+ *LTSP-Server*)
+ if [ -d /opt/ltsp ]; then
+ find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d -exec chroot {} /usr/share/debian-edu-config/tools/update-firefox-homepage ldap:homepage \;
+ fi
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/goodbye-user-session debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/goodbye-user-session
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/goodbye-user-session 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/goodbye-user-session 2023-09-27 22:34:54.000000000 +0200
@@ -16,7 +16,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-if [ $EUID -ge 500 ]; then
+if [ $EUID -ge 1000 ]; then
# safety net for well-known browsers
pkill -TERM -u "${LOGNAME}" x-www-browser
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-create debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-create
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-create 2021-03-30 13:17:37.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-create 2023-09-27 22:34:54.000000000 +0200
@@ -12,7 +12,7 @@
## directory already exists. In both cases nothing should happen.
PREFIX=/skole
-HOSTNAME=$(hostname -s)
+MY_HOSTNAME=$(hostname -s)
USERID=$1
#FIXME Change this ldap search to only find new users, to not slow down as more users are added.
@@ -29,7 +29,7 @@
gidNumber:) GROUPID="$VALUE" ;;
"")
test "$HOMEDIR" || continue
- echo "$HOMEDIR" | grep -q "^$PREFIX/$HOSTNAME" || continue
+ echo "$HOMEDIR" | grep -q "^$PREFIX/$MY_HOSTNAME" || continue
test -e "$HOMEDIR" && continue
cp -r /etc/skel $HOMEDIR
if type nscd > /dev/null 2>&1 ; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-remove debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-remove
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-remove 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-remove 2023-09-27 22:34:54.000000000 +0200
@@ -28,14 +28,14 @@
[ -d $HOMEDIR ] || exit 1
PREFIX=/skole
-HOSTNAME=$(hostname -s)
+MY_HOSTNAME=$(hostname -s)
# Obviously a user template was removed. Ignoring.
-echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*/%uid" && exit 0
+echo "$HOMEDIR" | grep -Eq "^$PREFIX/$MY_HOSTNAME.*/%uid" && exit 0
# An LDAP user that did not have their home at a place we manage with this script
# has been removed. This should not happen. Exiting with error.
-echo "$HOMEDIR" | egrep -q "^$PREFIX/$HOSTNAME.*$USERID" || exit 1
+echo "$HOMEDIR" | grep -Eq "^$PREFIX/$MY_HOSTNAME.*$USERID" || exit 1
## move mail directory to home directory
if [ -d /var/mail/$USERID ]; then
@@ -52,7 +52,7 @@
chown root:root $RM_HOMEDIR
chmod go-rwx $RM_HOMEDIR
-kadmin.local -q "delete_principal $USERID"
+kadmin.local -q "delete_principal -force $USERID"
pdbedit -x -u $USERID > /dev/null
logger -t gosa-remove -p notice Home directory \'$HOMEDIR\' marked for deletion, samba account and principal \'$USERID\' removed.
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-sync debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-sync
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/gosa-sync 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/gosa-sync 2023-12-03 08:45:01.000000000 +0100
@@ -33,13 +33,10 @@
TMPFILE=$(mktemp)
trap "rm -f $TMPFILE" ERR SIGHUP SIGINT SIGTERM
-cat <<EOF | tr -d "\n" > "$TMPFILE"
+base64 -d - <<EOF > "$TMPFILE"
$USERPASSWORD
EOF
-# remove escapes from the password added by GOsa²...
-sed -i $TMPFILE -e 's/\\//g'
-
# check the password in $TMPfile against LDAP...
IAM=`ldapwhoami -x -Z -y "$TMPFILE" -D "$USERDN" 2>/dev/null || true`
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/kerberos-kdc-init debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/kerberos-kdc-init
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/kerberos-kdc-init 2021-04-26 23:38:21.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/kerberos-kdc-init 2023-09-27 22:34:54.000000000 +0200
@@ -248,9 +248,9 @@
cp -r /etc/skel $HOMEDIR
# Must use uid/gid as NSS is not able to connect to LDAP yet
- UID=1000
- GID=1000
- chown -R $UID:$GID $HOMEDIR
+ FIRSTUSERUID=2000
+ FIRSTUSERGID=2000
+ chown -R $FIRSTUSERUID:$FIRSTUSERGID $HOMEDIR
pwlen=$(echo -n "$FIRSTUSERPWD" | wc -c)
echo "Creating Kerberos principal for $USERDN (password length $pwlen)"
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/nat debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/nat
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/nat 1970-01-01 01:00:00.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/nat 2023-09-27 22:34:54.000000000 +0200
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+IPTABLES=/usr/sbin/iptables
+
+NETWORK_TO_NAT=
+OUTSIDE_IF=eth0
+
+[ -x $IPTABLES ] || exit 1
+
+# Only enable by default if LTSP is installed
+if [ -e /srv/ltsp ] ; then
+ NETWORK_TO_NAT="192.168.0.0/24"
+fi
+
+if [ -f /etc/default/enable-nat ] ; then
+ . /etc/default/enable-nat
+fi
+
+# Bail out if no network is configured
+[ -n "$NETWORK_TO_NAT" ] || exit 0
+
+case $1 in
+enable)
+ # Exit if already enabled
+ $IPTABLES -t nat -n -L POSTROUTING | \
+ awk -v net="$NETWORK_TO_NAT" '
+ NR > 2 && $1 == "MASQUERADE" && $4 == net {
+ found=1
+ exit
+ }
+ END {
+ exit(!found)
+ }' && exit 0
+
+ $IPTABLES -t nat -A POSTROUTING -s "$NETWORK_TO_NAT" -o "$OUTSIDE_IF" -j MASQUERADE
+
+ # Enable IP-forwarding if it isn't enabled already.
+ sysctl -wq net.ipv4.ip_forward=1
+ ;;
+disable)
+ $IPTABLES -F -t nat
+ ;;
+*)
+ printf 'usage: %s [enable|disable]\n' "$(basename "$0")" >&2
+ exit 1
+ ;;
+esac
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/preseed-sitesummary debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/preseed-sitesummary
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/preseed-sitesummary 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/preseed-sitesummary 2023-09-27 22:34:54.000000000 +0200
@@ -27,7 +27,7 @@
if ping -c2 sitesummary > /dev/null 2>&1 ; then
sitesummaryserver=$(getent hosts sitesummary | awk '{print $2}')
else
- host=$(LC_ALL=C host -N 2 -t SRV _sitesummary._tcp | egrep -v '^;|NXDOMAIN|SERVFAIL' | awk '{print $NF}' | head -1)
+ host=$(LC_ALL=C host -N 2 -t SRV _sitesummary._tcp | grep -Ev '^;|NXDOMAIN|SERVFAIL' | awk '{print $NF}' | head -1)
if [ "$host" ] && ping -c2 "$host" ; then
sitesummaryserver=$(echo $host | sed 's/\.$//')
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-ad-client debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/setup-ad-client
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-ad-client 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/setup-ad-client 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
# See if we can find an Active Directory LDAP server.
lookup_ad_server() {
dnsdomain="$1"
- adserver=$(host -N 2 -t SRV _ldap._tcp.$dnsdomain | egrep -v 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
+ adserver=$(host -N 2 -t SRV _ldap._tcp.$dnsdomain | grep -Ev 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
if [ "$adserver" ] ; then
echo $adserver | sed 's/\.$//'
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-freeradius-server debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/setup-freeradius-server
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/setup-freeradius-server 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/setup-freeradius-server 2023-09-27 22:34:54.000000000 +0200
@@ -115,31 +115,75 @@
service freeradius stop
# Generate freeRADIUS specific CA and server certificates and make them available.
-chmod +x bootstrap
-PASSWORD="$(pwgen -1)"
+PASSWORD="$(pwgen -1 16)"
-for i in *.cnf xpextensions ; do
- sed -i "s#whatever#$PASSWORD#g" $i
- sed -i 's#FR#NO#g' $i
- sed -i 's#Example Inc.#Debian Edu#g' $i
- sed -i 's#admin@example.org#postmaster@postoffice.intern#g' $i
- sed -i 's#user@example.org#user@postoffice.intern#g' $i
- sed -i 's#example.org/example#intern/intern#g' $i
- sed -i 's#example.com/example#intern/intern#g' $i
- sed -i 's#Example S#Debian Edu freeRADIUS S#g' $i
- sed -i 's#Example C#Debian Edu freeRADIUS C#g' $i
- sed -i 's#*example.com#*intern#g' $i
- sed -i 's#radius.example.com#freeradius.intern#g' $i
- sed -i 's#= 60#= 3650#g' $i
- sed -i 's#Example Inner S#Debian Edu freeRADIUS Inner S#g' $i
-done
-
-sed -i "s#whatever#$PASSWORD#g" ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.pem#freeradius-server.crt#' ../mods-available/eap
-sed -i 's#ssl-cert-snakeoil.key#freeradius-server.key#' ../mods-available/eap
-sed -i 's#ca-certificates.crt#freeradius-ca.crt#' ../mods-available/eap
+update-ini-file ca.cnf req input_password "${PASSWORD}"
+update-ini-file client.cnf req input_password "${PASSWORD}"
+update-ini-file inner-server.cnf req input_password "${PASSWORD}"
+update-ini-file server.cnf req input_password "${PASSWORD}"
+
+update-ini-file ca.cnf req output_password "${PASSWORD}"
+update-ini-file client.cnf req output_password "${PASSWORD}"
+update-ini-file inner-server.cnf req output_password "${PASSWORD}"
+update-ini-file server.cnf req output_password "${PASSWORD}"
+
+update-ini-file ca.cnf certificate_authority countryName NO
+update-ini-file client.cnf client countryName NO
+update-ini-file inner-server.cnf server countryName NO
+update-ini-file server.cnf server countryName NO
+
+update-ini-file ca.cnf certificate_authority organizationName "Debian Edu"
+update-ini-file client.cnf client organizationName "Debian Edu"
+update-ini-file inner-server.cnf server organizationName "Debian Edu"
+update-ini-file server.cnf server organizationName "Debian Edu"
+
+update-ini-file xpextensions xpclient_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file xpextensions xpserver_ext crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf CA_default crlDistributionPoints URI:http://www.intern/intern_ca.crl
+update-ini-file ca.cnf v3_ca crlDistributionPoints URI:http://www.intern/intern_ca.crl
+
+update-ini-file ca.cnf certificate_authority emailAddress postmaster@postoffice.intern
+update-ini-file inner-server.cnf server emailAddress postmaster@postoffice.intern
+update-ini-file server.cnf server emailAddress postmaster@postoffice.intern
+
+update-ini-file client.cnf client commonName user@postoffice.intern
+update-ini-file client.cnf client emailAddress user@postoffice.intern
+
+update-ini-file ca.cnf certificate_authority commonName '"Debian Edu freeRADIUS Certificate Authority"'
+update-ini-file server.cnf server commonName freeradius.intern
+
+update-ini-file server.cnf alt_names DNS.1 freeradius.intern
+
+update-ini-file ca.cnf CA_default default_days 3650
+update-ini-file client.cnf CA_default default_days 3650
+update-ini-file inner-server.cnf CA_default default_days 3650
+update-ini-file server.cnf CA_default default_days 3650
+
+update-ini-file inner-server.cnf server commonName '"Debian Edu freeRADIUS Inner Server Certificate"'
+
+grep -q '^[[:blank:]]*subjectAltName[[:blank:]=]' xpextensions || cat >>xpextensions <<'EOF'
+
+subjectAltName = @alt_names
+
+# This should be a host name of the RADIUS server.
+# Note that the host name is exchanged in EAP *before*
+# the user machine has network access. So the host name
+# here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
+EOF
+
+sed -i \
+ -e "/^[[:blank:]]*private_key_password[[:blank:]=]/s#=.*#= $PASSWORD#g" \
+ -e '/^[[:blank:]]*certificate_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-server.crt#g' \
+ -e '/^[[:blank:]]*private_key_file[[:blank:]=]/s#=.*#= /etc/ssl/private/freeradius-server.key#g' \
+ -e '/^[[:blank:]]*ca_file[[:blank:]=]/s#=.*#= /etc/ssl/certs/freeradius-ca.crt#g' \
+ ../mods-available/eap
-./bootstrap
+sh ./bootstrap
chmod 644 dh server.crt server.pem ca.pem ca.der
chmod 640 server.key
@@ -157,8 +201,6 @@
# Cleanup the certs dir.
make clean
-chmod -x bootstrap
-
# Start the configured freeRADIUS service and give some feedback.
service freeradius start
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/show-welcome-webpage debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/show-welcome-webpage
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/show-welcome-webpage 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/show-welcome-webpage 2023-09-27 22:34:54.000000000 +0200
@@ -14,7 +14,7 @@
fi
if [ "$GETDEFAULTHOMEPAGE" ] &&
- echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+ echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
if [ "$GETDEFAULTHOMEPAGE" = "http://www/" ] || [ "$GETDEFAULTHOMEPAGE" = "https://www/" ] ; then
for lang in $(echo $LANGCODE | tr : " "); do
if wget -q -O /dev/null ${GETDEFAULTHOMEPAGE}index.html.$lang ; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/sssd-generate-config debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/sssd-generate-config
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/sssd-generate-config 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/sssd-generate-config 2023-09-27 22:34:54.000000000 +0200
@@ -14,7 +14,7 @@
if ping -c2 ldap.$domain > /dev/null 2>&1; then
echo ldap://ldap.$domain
else
- host=$(host -N 2 -t SRV _ldap._tcp.$domain | egrep -v 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
+ host=$(host -N 2 -t SRV _ldap._tcp.$domain | grep -Ev 'NXDOMAIN|^;' | awk '{print $NF}' | head -1)
if [ "$host" ] ; then
echo ldap://$host | sed 's/\.$//'
fi
@@ -33,7 +33,7 @@
if ldapsearch -LLL -H $ldapuri -x -b "$context" -s sub -z 1 \
'(|(objectClass=posixAccount)(objectclass=posixGroup))' 2>&1 | \
perl -p0e 's/\n //g' | \
- egrep -q '^dn:|^Administrative limit exceeded' ; then
+ grep -Eq '^dn:|^Administrative limit exceeded' ; then
echo $context
return
fi
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/update-dlw-krb5-keytabs debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/update-dlw-krb5-keytabs
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/update-dlw-krb5-keytabs 2022-02-13 09:44:28.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/update-dlw-krb5-keytabs 2023-09-27 22:34:54.000000000 +0200
@@ -49,7 +49,7 @@
# Clear caching daemon's NIS netgroup cache (this assures an LDAP re-lookup).
nscd -i netgroup
-DLW_HOSTS_NETGROUP=$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")
+DLW_HOSTS_NETGROUP="$(netgroup diskless-workstation-hosts | grep -E "\.${DOMAIN}$")" || true
# Do some sanity checks...
if [ "$(id -u)" != "0" ]; then
diff -Nru debian-edu-config-2.12.32/share/debian-edu-config/tools/update-proxy-from-wpad debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/update-proxy-from-wpad
--- debian-edu-config-2.12.32/share/debian-edu-config/tools/update-proxy-from-wpad 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/share/debian-edu-config/tools/update-proxy-from-wpad 2023-09-27 22:34:54.000000000 +0200
@@ -96,6 +96,29 @@
fi
}
+update_dconf() {
+ proxy_host="${http_proxy#*://}"
+ proxy_port="${proxy_host##*:}"
+ proxy_host="${proxy_host%:*}"
+ cat >/etc/dconf/db/site.d/50-proxy <<EOF
+[system/proxy/http]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+
+[system/proxy/https]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+
+[system/proxy/ftp]
+host='${proxy_host}'
+port=${proxy_port}
+enabled=true
+EOF
+ dconf update
+}
+
if [ -r /etc/debian-edu/config ] ; then
. /etc/debian-edu/config
fi
@@ -116,11 +139,13 @@
update_apt_conf
- # Do not set proxy in /etc/environment for machines that move around,
- # as the value will be wrong when arriving at a new network.
- if echo "$PROFILE" | egrep -q 'Roaming-Workstation|Standalone' ; then
- :
- else
+ # Do not set proxy in /etc/environment and dconf for machines that
+ # move around, # as the value will be wrong when arriving at a new
+ # network.
+ case $PROFILE in
+ *Roaming-Workstation*|*Standalone*) ;;
+ *)
update_etc_environment
- fi
+ update_dconf
+ esac
fi
diff -Nru debian-edu-config-2.12.32/testsuite/automount debian-edu-config-2.12.41~deb12u1/testsuite/automount
--- debian-edu-config-2.12.32/testsuite/automount 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/automount 2023-09-27 22:34:54.000000000 +0200
@@ -12,7 +12,7 @@
# Automount is not used on the Main-Server, Roaming workstation and
# Standalone profiles.
-if echo "$PROFILE" | egrep -q 'Main-Server|Roaming-Workstation|Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Roaming-Workstation|Standalone' ; then
exit 0
fi
diff -Nru debian-edu-config-2.12.32/testsuite/dhcpd debian-edu-config-2.12.41~deb12u1/testsuite/dhcpd
--- debian-edu-config-2.12.32/testsuite/dhcpd 2019-02-15 11:58:02.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/dhcpd 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only main-server and thin-client server profiles run dhcpd
-if echo "$PROFILE" | egrep -q 'Main-Server|LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|LTSP-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/filesystems debian-edu-config-2.12.41~deb12u1/testsuite/filesystems
--- debian-edu-config-2.12.32/testsuite/filesystems 2014-10-12 12:51:32.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/filesystems 2023-09-27 22:34:54.000000000 +0200
@@ -1,58 +1,65 @@
#!/bin/sh
#
-# Check that we are using ext3, not ext2
+# Check that we are using ext3/4 filesystems with expected options
if test -r /etc/debian-edu/config ; then
. /etc/debian-edu/config
fi
-LANG=C
-export LANG
+LC_ALL=C
+export LC_ALL
-awk "/ext2/ { print \"error: $0: Using ext2 on\",\$2 }" /proc/mounts
-awk "/ext3|ext4/ { print \"success: $0: Using ext3 on\",\$2 }" /proc/mounts
+scriptname="$0"
-# Check if the filesystems on the mountpoints support acls
-for f in `grep 'ext' /proc/mounts|awk '{print $1}'`; do
- if [ `chacl -l $f | grep 'cannot get'` ]; then
- echo "error: $0: $f doesn't support acls"
- else
- echo "success: $0: $f supports acls"
- fi
-done
-
-# Make sure all ext3/ext4 mount points are online resizable
-for p in `(df -Pt ext3 2>/dev/null;df -Pt ext4 2>/dev/null) | grep -v ^Filesystem |awk '{print $1}'`; do
- if tune2fs -l $p| grep features | grep -q resize_inode ; then
- :
- else
- echo "error: $0: Missing resize_inode in ext3/ext4 fs $p"
- fi
-done
+while read -r line; do
+ set -- $line
+ case $3 in
+ ext2)
+ if [ $2 != '/boot' ]; then
+ printf 'error: %s: Using ext2 on %s\n' "${scriptname}" "$1"
+ fi
+ ;;
+ ext3|ext4)
+ printf 'success: %s: Using ext3/4 on %s\n' "${scriptname}" "$1"
+
+ # Check if the filesystems on the mountpoints support acls
+ if chacl -l "$1" >/dev/null 2>&1; then
+ printf "success: %s: %s supports acls\n" "${scriptname}" "$1"
+ else
+ printf "error: %s: %s doesn't support acls\n" "${scriptname}" "$1"
+ fi
+
+ # Make sure all ext3/ext4 mount points are online resizable
+ if ! tune2fs -l "$1" | grep -q '^Filesystem features:.* resize_inode'; then
+ printf 'error: %s: Missing resize_inode in ext3/ext4 fs %s\n' "${scriptname}" "$2"
+ fi
+ ;;
+ esac
+done </proc/mounts
-if echo "$PROFILE" | grep -q Main-Server ; then
+case $PROFILE in
+*Main-Server*)
# Make sure autofs do not hide the real file systems
if [ -d /skole/tjener/home0/lost+found ] ; then
- echo "success: $0: Found lost+found in /skole/tjener/home0/"
+ printf 'success: %s: Found lost+found in /skole/tjener/home0/\n' "${scriptname}"
else
- echo "error: $0: No lost+found in /skole/tjener/home0/. Blocked by autofs?"
+ printf 'error: %s: No lost+found in /skole/tjener/home0/. Blocked by autofs?\n' "${scriptname}"
fi
# Make sure home0 and backup have acl and user_xattr enabled. See
# if bug #638822 is present or not.
for dir in /skole/tjener/home0 /skole/backup; do
- dev="$(LC_ALL=C df -P /var/log|awk '/%/ {print $1}')"
- for opt in acl user_xattr ; do
- if LC_ALL=C tune2fs -l "$dev" | \
- grep 'Default mount' | \
- grep -qw $opt ; then
- echo "success: $0: Found option $opt in $dir."
- else
- echo "error: $0: Did not find option $opt in $dir."
- fi
- done
+ dev="$(findmnt -T "${dir}" -n -o SOURCE)"
+ for opt in acl user_xattr; do
+ if tune2fs -l "${dev}" | grep -q "^Default mount options:.* ${opt}"; then
+ printf "success: %s: Found option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ else
+ printf "error: %s: Did not find option %s in %s.\n" "${scriptname}" "${opt}" "${dir}"
+ fi
+ done
done
-fi
+ ;;
+esac
# Report too full file systems. Should have at least 20% free to
# avoid warning from Nagios, preferably between 20% and 25%.
diff -Nru debian-edu-config-2.12.32/testsuite/hardware debian-edu-config-2.12.41~deb12u1/testsuite/hardware
--- debian-edu-config-2.12.32/testsuite/hardware 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/hardware 2023-09-27 22:34:54.000000000 +0200
@@ -33,7 +33,7 @@
fi
done
-disks=`cat /proc/partitions|egrep 'ide|scsi'|awk '{print $4}'|grep '/disc'|sed 's%^%/dev/%'`
+disks=`cat /proc/partitions|grep -E 'ide|scsi'|awk '{print $4}'|grep '/disc'|sed 's%^%/dev/%'`
for disk in $disks ; do
/sbin/hdparm -i $disk 2>&1 | sed "s%^%info: $0: hdparm: %"
done
diff -Nru debian-edu-config-2.12.32/testsuite/ldap-client debian-edu-config-2.12.41~deb12u1/testsuite/ldap-client
--- debian-edu-config-2.12.32/testsuite/ldap-client 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/ldap-client 2023-09-27 22:34:54.000000000 +0200
@@ -16,7 +16,7 @@
fi
# Only networked profiles use LDAP
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
@@ -24,13 +24,20 @@
RESULT=0
-# Locate LDAP server dynamically, by looking up SRV records. The -N 2
+# Locate LDAP server dynamically, by looking up SRV records. The +ndots=2
# argument is tested and found to work with the debian package
# bind9-host, and not with the host package.
-ldap_servers=$(host -N 2 -t srv _ldap._tcp | rev | awk '/VRS/ {print $1}' | cut -d. -f2- | rev)
-# Cut the list to one server as we do not handle redundant servers at
-# the moment.
-ldap_server=$(echo $ldap_servers | awk '{print $1}')
+ldap_server_port="$(dig +search +ndots=2 +short _ldap._tcp srv | awk '
+(t == "") || ($1 < prio) {
+ prio = $1
+ t = $4
+ sub(/\.$/,"",t)
+ p = $3
+}
+END { if (t != "") printf("%s:%d", t, p) }
+')"
+ldap_server="${ldap_server_port%:*}"
+ldap_server_uri="ldap://${ldap_server_port}"
# Test if LDAP server is reachable
if ping -c1 $ldap_server > /dev/null 2>&1 ; then
@@ -39,6 +46,7 @@
error "Dynamically located LDAP server '$ldap_server' is not pingable, continuing tests using DNS alias ldap."
# Autodetection failed, use hardcoded DNS name for the rest of the tests
ldap_server=ldap.intern
+ ldap_server_uri="ldap://${ldap_server}"
fi
for file in nslcd.conf ; do
@@ -51,7 +59,7 @@
done
# Verify that NSS is properly configured for netgroups in LDAP.
-if egrep -q '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
+if grep -Eq '^netgroup: +nis *.* +(ldap|sss)$' /etc/nsswitch.conf ; then
success "NSS netgroup setting is correct in /etc/nsswitch.conf"
else
error "NSS netgroup setting is wrong in /etc/nsswitch.conf"
@@ -60,7 +68,7 @@
SERVICES="nslcd"
# Roaming workstations use sssd for caching, and not nscd
-if echo "$PROFILE" | egrep -q 'Roaming-Workstation' ; then
+if echo "$PROFILE" | grep -Eq 'Roaming-Workstation' ; then
SERVICES="$SERVICES sssd"
else
ls -l /var/cache/nscd/ | sed "s/^/info: nscd cache: /"
@@ -68,11 +76,13 @@
SERVICES="$SERVICES nscd"
fi
-host -a -t srv _ldap._tcp | sed "s/^/info: SRV record from DNS: /"
-host -a "$ldap_server" | sed "s/^/info: LDAP server from DNS: /"
+printf 'info: SRV record from DNS: '
+dig +search +ndots=2 +noall +answer +nocomments _ldap._tcp srv
+printf 'info: LDAP server from DNS: '
+dig +noall +answer +nocomments "$ldap_server"
if [ -f /etc/nslcd.conf ] ; then
- if egrep -q "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
+ if grep -Eq "^uri (ldap|$ldap_server)" /etc/nslcd.conf ; then
:
else
error "ldap/ldap.conf misses definition of HOST ldap"
@@ -116,13 +126,13 @@
if [ -x /usr/bin/ldapsearch ] ; then
namingContexts="$(
- ldapsearch -s base -h $ldap_server -b '' -x '*' '+' | \
+ ldapsearch -s base -H "${ldap_server_uri}" -b '' -x '*' '+' | \
awk '/^namingContexts:/ {print $2}' | head -1
)"
echo info: $0: LDAP rootDSE namingContext: $namingContexts
LDAP_MOUNTS="$(
- ldapsearch -LLL -h $ldap_server -b $namingContexts \
+ ldapsearch -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x '(objectClass=automount)' |\
grep "^cn:" | while read attr val; do
echo "$val"
@@ -137,10 +147,10 @@
# Try a search using TLS too
group=admins
- if ldapsearch -ZZ -LLL -h $ldap_server -b $namingContexts \
+ if ldapsearch -ZZ -LLL -H "${ldap_server_uri}" -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on $ldap_server for cn=$group returned OK exit code."
- elif ldapsearch -ZZ -LLL -h ldap.intern -b $namingContexts \
+ elif ldapsearch -ZZ -LLL -H ldap://ldap.intern -b $namingContexts \
-x "(&(cn=$group)(objectclass=posixGroup))" >/dev/null 2>&1 ; then
success "TLS search on ldap.intern for cn=$group returned OK exit code."
else
@@ -162,10 +172,10 @@
error "Missing LDAP certificate $pubcert"
fi
-if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | egrep 'pam_krb5.so|pam_ldap.so|pam_sss.so' | wc -l) ] ; then
+if [ 1 -eq $(grep -v '^#' /etc/pam.d/common-auth | grep -Ec 'pam_krb5.so|pam_ldap.so|pam_sss.so') ] ; then
success "Only one PAM module of krb5, ldap and sss is enabled"
else
- error "Not only one PAM module of krb5, ldap and sss is enabled"
+ error "More than one PAM module of krb5, ldap and sss is enabled"
fi
# Make sure winbind PAM module isn't active
diff -Nru debian-edu-config-2.12.32/testsuite/ldap-server debian-edu-config-2.12.41~deb12u1/testsuite/ldap-server
--- debian-edu-config-2.12.32/testsuite/ldap-server 2023-01-30 14:33:11.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/ldap-server 2023-09-27 22:34:54.000000000 +0200
@@ -73,11 +73,11 @@
# limit (32768) file descriptors were tried but required incresing
# file-max, took very long and caused very high load on the server
# during testing.
-ldap_server=ldap
+ldap_server_uri=ldap
limit=1200
ulimit -n 2048
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work before flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail before flodding the LDAP server with $limit connections"
@@ -86,7 +86,7 @@
perl -MNet::LDAP -e "sleep(5); my @c; for my \$n (0 .. $limit) { \$c[\$n] = Net::LDAP->new('ldap://$ldap_server', onerror => undef); my \$root = \$c[\$n]->root_dse() if \$c[\$n]; } sleep(5);"
-if ldapsearch -s base -h $ldap_server -b '' -x '*' '+' > /dev/null 2>&1 ; then
+if ldapsearch -s base -H "ldap://$ldap_server" -b '' -x '*' '+' > /dev/null 2>&1 ; then
echo "success: $0: search work after flodding the LDAP server with $limit connections."
else
echo "error: $0: search fail after flodding the LDAP server with $limit connections"
diff -Nru debian-edu-config-2.12.32/testsuite/locale debian-edu-config-2.12.41~deb12u1/testsuite/locale
--- debian-edu-config-2.12.32/testsuite/locale 2014-09-04 21:01:59.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/locale 2023-09-27 22:34:54.000000000 +0200
@@ -4,7 +4,7 @@
echo "info: $0: install locale: '$LANG' '$LANGUAGE'"
-env|egrep 'LC|LANG' | sed "s%^%info: $0: install env: %"
+env|grep -E 'LC|LANG' | sed "s%^%info: $0: install env: %"
locale | sed "s%^%info: $0: locale: %"
locale charmap | sed "s%^%info: $0: locale charmap: %"
diff -Nru debian-edu-config-2.12.32/testsuite/ntp debian-edu-config-2.12.41~deb12u1/testsuite/ntp
--- debian-edu-config-2.12.32/testsuite/ntp 2021-01-25 17:46:26.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/ntp 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only networked profiles use NTP
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/rdp-server debian-edu-config-2.12.41~deb12u1/testsuite/rdp-server
--- debian-edu-config-2.12.32/testsuite/rdp-server 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/rdp-server 2023-09-27 22:34:54.000000000 +0200
@@ -9,7 +9,7 @@
fi
# Only LTSP-Server profiles provide RDP
-if echo "$PROFILE" | egrep -q 'LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'LTSP-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/samba debian-edu-config-2.12.41~deb12u1/testsuite/samba
--- debian-edu-config-2.12.32/testsuite/samba 2021-12-02 16:12:39.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/samba 2023-09-27 22:34:54.000000000 +0200
@@ -11,7 +11,7 @@
fi
# Only Main-Server install samba
-if echo "$PROFILE" | egrep -q 'Main-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/sudo debian-edu-config-2.12.41~deb12u1/testsuite/sudo
--- debian-edu-config-2.12.32/testsuite/sudo 2019-02-23 17:22:21.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/sudo 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Standalone profile do not use LDAP based sudo
-if echo "$PROFILE" | egrep -q 'Standalone' ; then
+if echo "$PROFILE" | grep -Eq 'Standalone' ; then
exit 0
fi
diff -Nru debian-edu-config-2.12.32/testsuite/webcache debian-edu-config-2.12.41~deb12u1/testsuite/webcache
--- debian-edu-config-2.12.32/testsuite/webcache 2022-04-25 17:19:14.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/webcache 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only networked profiles use squid
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
@@ -37,7 +37,7 @@
# Wait for 10 seconds
HEADOPTS="-t 10"
-if echo "$PROFILE" | egrep -q 'Main-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server' ; then
# Test that the binary exist
if test -x /usr/sbin/squid ; then
echo "success: $0: Binary /usr/sbin/squid is present."
@@ -52,7 +52,7 @@
exit 1
fi
- if egrep -q '^refresh_pattern \(Release\|Package\(.gz\)\*\)$' /etc/squid/squid.conf
+ if grep -Eq '^refresh_pattern \(Release\|Package\(.gz\)\*\)$' /etc/squid/squid.conf
then
echo "error: $0: squid typo causing APT problem is present (#591839)."
else
diff -Nru debian-edu-config-2.12.32/testsuite/webserver debian-edu-config-2.12.41~deb12u1/testsuite/webserver
--- debian-edu-config-2.12.32/testsuite/webserver 2019-02-23 17:22:21.000000000 +0100
+++ debian-edu-config-2.12.41~deb12u1/testsuite/webserver 2023-09-27 22:34:54.000000000 +0200
@@ -9,7 +9,7 @@
fi
# Only networked profiles should have the https certificates
-if echo "$PROFILE" | egrep -q 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
+if echo "$PROFILE" | grep -Eq 'Main-Server|Workstation|Roaming-Workstation|LTSP-Server|Minimal' ; then
:
else
exit 0
diff -Nru debian-edu-config-2.12.32/testsuite/workstation debian-edu-config-2.12.41~deb12u1/testsuite/workstation
--- debian-edu-config-2.12.32/testsuite/workstation 2017-05-30 15:56:28.000000000 +0200
+++ debian-edu-config-2.12.41~deb12u1/testsuite/workstation 2023-09-27 22:34:54.000000000 +0200
@@ -7,7 +7,7 @@
fi
# Only Workstation profiles use squid
-if echo "$PROFILE" | egrep -q 'Workstation|Roaming-Workstation|LTSP-Server' ; then
+if echo "$PROFILE" | grep -Eq 'Workstation|Roaming-Workstation|LTSP-Server' ; then
:
else
exit 0
Reply to: