Skolelinux autoconfig system ============================ Uses cfengine to automatically configure the hosts. This package is used for all configuration that is impossible to do using debconf answers during first time install. Configuration changes, replacement config files and extra files to install in a Skolelinux installation belong to this package. All the configuration done in this package should in principle be possible to do using debconf answers. We should strive to get patches into the Debian packages or upstream source, to reduce the need for Skolelinux specific configuration. Adding / replacing config files ------------------------------- If we want to install (add) a file which is not included in another Debian package, the file should be installed as a normal file in the Debian package. This is only useful if the file can be safely installed for all profiles. If the file already exist in another package, we should try to use cfengine edit commands to modify the existing file. If the changes are massive, it will be more sensible to replace the existing file with out of our files, and only in this case should we use the masterfiles to copy an replacement file on top of the existing configuration file. Source overview --------------- cf3/ - the cfengine configuration files, installed into /etc/cfengine3/debian-edu etc/... - New files installed into /etc/... bin/ - New files installed into /usr/bin/ share/... - New files installed into /usr/share/... Contact Petter Reinholdtsen if you have questions. What is configured ================== This is a high-level description on the configuration changes done by this package, including the files related to che configuration change. DNS server (bind) ------------------ Preconfigured DNS zone .intern with DNS names for services used by debian-edu. Also includes the DHCP distributed IP addressess used. The address range is separated into groups. https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture includes a list of services that are set up by default in a Skolelinux network, please update it when you add new services. Where possible the DNS name correspond to the service name in /etc/services, where this is not possible the common name of the service is used as the DNS name. All configuration files will, if possible, refer to the service by name (without the domain name) thus making it easy for schools to change either their domain (if they have an own DNS domain), or the IP addresses they use. DHCP server (dhcp) ------------------- Contains info on the IP range and DNS server used on the network, and what to hand out to the clients. Also contain LTSP configuration options. syslog (rsyslog) ---------------- The main-server profile is configured as a syslog message collector, and all clients (workstation and ltsp-server) is configured to send all syslog messages to the host behind the DNS name syslog. NTP clients and server ---------------------- The main-server profile is configured as a publicly available NTP server, and the workstation and ltsp-server profiles are configured as NTP clients using the host behind the DNS name ntp as their NTP server. LDAP server (slapd) ------------------- Prepare it to work as NIS replacement for PAM, NSS and automount (autofs). Also prepare it work as backend storage for Samba domain controller. Prepare it to contain gosa and sudoers default configuration. NFS server (nfs-kernel-server) ------------------------------ HTTP proxy (squid) ------------------ SMB domain controller and file server (samba) --------------------------------------------- Samba server is configured as workgroup 'skolelinux' and ldap-based authentication. Printing is configured with cups, and an automatic drive mapping is set for a connected user on its home at h:\ The samba server act as a domain controller and wins (windows name service) server. Samba client workstations are using tjener as their auth server,wins and domain controller. Their netbios name is automatically set. Roaming profiles are on by default, but the profiles are not separated from the homes data into specific directories for each Windows -Version like Win2K or WinXP. SMTP and IMAP post office (exim and dovecot) --------------------------------------------- Dovecot imap server is configured and can be accessed using kerberos ticket/gssapi. Exim is configured as a simple local mail relay on workstations and as a server for local users on servers. Local users are searched in the ldap database using exim ldap module. X terminal server solution (LTSP) --------------------------------- Printer system (CUPS) --------------------- Configure CUPS to work out of the box. Disable non-encrypted access for all hosts except localhost. cf3/cf.cups etc/cups/cupsd-debian-edu.conf HTTP server (apache2) -------------------- For now, Apache configuration is only tuned to know user homepage are on /skole/tjener/home*/*/public_html (see cf3/cf.apache2) KDE client config ----------------- SSH (openssh) ------------- inetd ----- Disable unused network services (discard, daytime, time) on all hosts, and diable SMTP listening on all client machines. cf3/cf.inetd Design choices ============== Local device access ------------------- Petter Reinholdtsen, 2006-10-17 The local user should have access to some of the local devices (sound, cdrom, etc) after logging in on the console or via gdm/xdm/etc, but not when logging in from remote via ssh. There are as far as I know two ways to make this happen. One way is to add the local user to the groups needed to access these devices, the other is to change the permissions on these devices to give access to the local user. The former is done using pam_group, while the latter is done using pam_devperm. Both have advantages and weaknesses. pam_group --------- By updating /etc/pam.d/common-auth and /etc/security/group.conf it is possible to add the logged in user to the grous needed (audio, floppy, cdrom, plugdev, video). In addition to getting access to the devices present during login, it also make sure hotplugged devices like USB sticks work (group membership in plugdev take care of this). The problem with this method is that every member of the groups in question can create a setgid program to gain access to the devices also when not logged into the machine. This will make it possible to record from the microphone, read and from the floppy, cdrom and usb stick, as well as play unwanted sound on other users computers. It is also possible to start long-running processes in the background to keep the access privileges to the devices in question. There are some problems with this apporach with kde 3.5, as it switched from using pmount (which work) to using hal callouts which do not. More info on bug #377689. --- /etc/pam.d/common-auth.orig 2006-10-17 11:25:40.000000000 +0000 +++ /etc/pam.d/common-auth 2006-10-17 11:25:29.000000000 +0000 @@ -7,4 +7,5 @@ # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # +auth optional pam_group.so auth required pam_unix.so nullok_secure --- /etc/security/group.conf.orig 2006-10-17 11:27:32.000000000 +0000 +++ /etc/security/group.conf 2006-10-17 11:31:43.000000000 +0000 @@ -55,6 +55,8 @@ #xsh; tty* ;*;Al0900-1800;floppy +*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video +*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video # # End of group.conf file pam_devperm ----------- By installing libpam-devperm and updating /etc/pam.d/common-sessionn (and /etc/logindevperm to fix bug #393661 and get access to /dev/dsp), it is possible to modify the permissions of relevant devices when a user log in, and reset the permissions when the user log out. The user of the device is changed to the logged in user, and the mode is normally set to 0600 granting exclusive access. The problem with this method is that hotplug devices do not work, as they are not available when the user is logged in, and the device ownership is only modified when the user log in. Another problem is that the user can keep the access privileges for the devices after he log out by starting long-running processes in the background. --- /etc/pam.d/common-session.orig 2006-10-17 11:23:21.000000000 +0000 +++ /etc/pam.d/common-session 2006-10-17 10:42:08.000000000 +0000 @@ -7,3 +7,4 @@ # non-interactive). The default is pam_unix. # session required pam_unix.so +session required pam_devperm.so --- /etc/logindevperm.orig 2006-10-17 10:51:58.000000000 +0000 +++ /etc/logindevperm 2006-10-17 10:53:08.000000000 +0000 @@ -24,7 +24,7 @@ :0 0600 /dev/cdrecorder:/dev/cdrecorder1:/dev/cdrecorder2:/dev/cdrecorder3 :0 0600 /dev/dvd:/dev/dvd1:/dev/dvd2:/dev/dvd3 :0 0600 /dev/zip:/dev/zip1:/dev/zip2:/dev/zip3 -:0 0600 /dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3 +:0 0600 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3 :0 0600 /dev/fd0:/dev/fd0u1440:/dev/fd0h1440:/dev/fd0u720:/dev/fd0h720 :0 0600 /dev/fd1:/dev/fd1u1440:/dev/fd1h1440:/dev/fd1u720:/dev/fd1h720 :0 0600 /dev/sequencer:/dev/sequencer2:/dev/music Conclusion ---------- I recommend using the pam_group mechanism to get a working hotplug support, and recommend solving the setgid-issue by adding the nosuid mount flag to the partitions where users can add files (/home/, /tmp/, /dev/shm/, /var/lock/), and solving the problem with long-running processes by running some kind of idle-job killer to kill long-running processes. Ideas for LDAP based client configuration, reducing the amount of configuration stored on clients. ================================================================= The basic idea is to let the clients derive all the information they need by starting with the DHCP reply and continue from there. At the moment, clients have LDAP tree information hardcoded. This can be fetched dynamically from the LDAP server, if the LDAP server can be located. The LDAP server can be found using the same mechanism used by MS AD, by adding the _ldap._tcp SRV records, or just using our 'ldap' DNS alias as before. - use _ldap._tcp SRV record to find LDAP server - use ldap "root" object to find LDAP tree info (like AD defaultNamingContext attribute) "ldapsearch -x -s base -H ldap://$server -b '' -x '*'" - subnet three with relevant information? AD have subtree "CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet objects. - like printers to use? - like proxy setting? - like browser home page? - proxy configuration using WPAD provided by DHCP or from LDAP? "Web Access ProtocolDiscovery" (WAPD). - browser home page provided from LDAP for the host and/or user - LDAP populated using sitesummary information - for host group membership - for dhcp mac address binding - for dns names - LTSP configuration? Can the browser fetch configuration from LDAP? An alternative is to use the avahi service announcement mechanism.