5660
Kommentar:
|
13231
|
Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
Zeile 42: | Zeile 42: |
=== Fix UDP checksumming when on KVM (virtio_net) === If the Debian Edu mainserver TJENER runs in KVM and uses the {{{virtio_net}}} driver, you may want to disable checksum off-loading (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717215|[1]]] and [[https://forge.univention.org/bugzilla/show_bug.cgi?id=33160|[2]]] for details):{{{ auto eth0 iface eth0 inet static address 10.0.2.2 netmask 255.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1 # disable checksum off-loading pre-up ethtool -K eth0 tx off }}} Alternatively, use the e1000 driver / virtual NIC in KVM. '''Note:''' Disabling checksum off-loading is especially important for machines running {{{isc-dhcp-server}}}, but you should consider it helpful (or switching to e1000) for all KVM instances. |
|
Zeile 98: | Zeile 116: |
=== Update LDAP DIT for Debian Edu jessie === There are some variables ($GOSAADMINSDN64, $TEACHERSDN64, etc.) in the below LDAP diff. The "64" denotes that you need to use the base64 encoded representation of the DN. You will find those base64 encoded strings in the LDAP tree, but you can also create them manually.{{{ $ echo "cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" | base64 }}} Use the {{{ldapvi}}} tool to add the below information to the Debian Edu mainserver's LDAP tree. {{{ diff --git a/ldap-bootstrap/autofs.ldif b/ldap-bootstrap/autofs.ldif index 9d68cbc..05fe3e0 100644 --- a/ldap-bootstrap/autofs.ldif +++ b/ldap-bootstrap/autofs.ldif @@ -40,4 +40,4 @@ ou: auto.tjener dn: cn=/,ou=auto.tjener,ou=automount,dc=skole,dc=skolelinux,dc=no objectClass: automount cn: / -automountInformation: -fstype=nfs4,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid tjener.intern:/& +automountInformation: -fstype=nfs4,sec=sys,tcp,rw,intr,hard,nodev,nosuid tjener.intern:/& diff --git a/ldap-bootstrap/gosa-server.ldif b/ldap-bootstrap/gosa-server.ldif index 102c86a..46f5098 100644 --- a/ldap-bootstrap/gosa-server.ldif +++ b/ldap-bootstrap/gosa-server.ldif @@ -6,12 +6,16 @@ ou: servers dn: cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no macAddress: $MAC +description: Main server; modify only if 100% sure. objectClass: top objectClass: GOhard objectClass: goServer objectClass: dhcpServer +objectClass: goNtpServer +objectClass: goLdapServer cn: tjener dhcpServiceDN: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no +goLdapBase: ldap://tjener:389/dc=skole,dc=skolelinux,dc=no ipHostNumber: 10.0.2.2 gotoMode: locked @@ -245,7 +249,7 @@ dhcpRange: 10.0.16.20 10.0.31.254 # subnet00.intern shared network dn: cn=subnet00.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no dhcpOption: routers ltspserver00.subnet00 -dhcpOption: domain-name "intern subnet00.intern" +dhcpOption: domain-name "intern" dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.0.255 dhcpOption: root-path "/opt/ltsp/i386" @@ -277,7 +281,7 @@ dhcpRange: 192.168.0.20 192.168.0.253 # subnet01.intern shared network dn: cn=subnet01.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no dhcpOption: routers ltspserver01.subnet01 -dhcpOption: domain-name "intern subnet01.intern" +dhcpOption: domain-name "intern" dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.1.255 dhcpOption: root-path "/opt/ltsp/i386" diff --git a/ldap-bootstrap/gosa.ldif b/ldap-bootstrap/gosa.ldif index 41bb76f..70a5afe 100644 --- a/ldap-bootstrap/gosa.ldif +++ b/ldap-bootstrap/gosa.ldif @@ -21,6 +21,11 @@ dn: ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no objectClass: organizationalUnit ou: gosa +dn: cn=netgroupSystem,ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no +cn: netgroupSystem +objectClass: top +objectClass: gosaConfig +gosaSetting: netgroupSystemRDN:ou=netgroup ###################### Teachers ######################### @@ -191,13 +196,13 @@ dn: cn=admin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: gosaRole gosaAclTemplate: 0:psub::all;cmdrw -description: unlimited administrative permissions +description: nearly unlimited administrative permissions cn: admin-role dn: cn=jradmin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: gosaRole -gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,groups/group;cmdr#description;w#memberUid;rw +gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,users/sambaAccount;r,groups/group;cmdr#description;w#memberUid;rw description: limited administrative permissions cn: jradmin-role diff --git a/ldap-bootstrap/ltsp.ldif b/ldap-bootstrap/ltsp.ldif index 55e46f8..8fc0609 100644 --- a/ldap-bootstrap/ltsp.ldif +++ b/ldap-bootstrap/ltsp.ldif @@ -7,4 +7,4 @@ dn: cn=ltspConfigDefault,ou=ltsp,dc=skole,dc=skolelinux,dc=no objectclass: ltspClientConfig cn: ltspConfigDefault ltspConfig: NBD_SWAP=Y -ltspConfig: SCREEN_07=ldm +ltspConfig: KEEP_SYSTEM_SERVICES=lightdm diff --git a/ldap-bootstrap/root.ldif b/ldap-bootstrap/root.ldif index 2b41253..521c0ae 100644 --- a/ldap-bootstrap/root.ldif +++ b/ldap-bootstrap/root.ldif @@ -29,7 +29,7 @@ dc: skole ou: skole o: skole.skolelinux.no labeledURI: http://www/ LDAP for Debian Edu/Skolelinux -gosaAclEntry: 0:psub:$GOSAADMINSDN64:server/servgeneric;#gotoMode;r#userPassword;r#FAIstate;r,all;cmdrw +gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw gosaAclEntry: 3:role:$ADMINROLEDN64: @@ -50,6 +50,18 @@ objectClass: top objectClass: organizationalUnit ou: systems +dn: ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: workstations + +dn: ou=terminals,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: terminals + +dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: printers + dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: organizationalUnit }}} === NSCD and Netgroups === Until Debian bug [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793649|#793649]] is not fixed in nscd, you have to empty the NSCD cache directory after upgrade and upgrade the NFS server afterwards:{{{ root@tjener:~# invoke-rc.d nscd stop root@tjener:~# rm -Rf /var/cache/nscd/* root@tjener:~# invoke-rc.d nscd start root@tjener:~# invoke-rc.d nfs-kernel-server restart }}} |
|
Zeile 108: | Zeile 267: |
/usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf /usr/sbin/pam-auth-update --package }}} |
root@<client>:~# /usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf root@<client>:~# /usr/sbin/pam-auth-update --package }}} = References = * [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717215 * [2] https://forge.univention.org/bugzilla/show_bug.cgi?id=33160 |
Upgrade des Debian Edu Haupt-Servers (TJENER) von Debian Edu squeeze nach Debian Edu jessie
Inhaltsverzeichnis
Preparations
Perform a manual dump of your LDAP database (in case things fail on the way):
root@tjener:~# slapcat > /root/slapcat-$(date +%Y%m%d%H%M%S).ldif
- Backup the complete TJENER system (so that you can completely restore the old state from backup, if needed).
Backup the /etc/ configuration files and have them at hand when fixing various service settings once packages have been upgraded to Debian jessie state.
Package Upgrades
to Debian (Edu) wheezy
Update /etc/apt/sources.list and individual configurations in /etc/apt/sources.list.d/, so that packages for Debian wheezy will get installed with next upgrade / dist-upgrade.
Run upgrade and dist-upgrade in two steps
root@tjener:~# apt-get upgrade root@tjener:~# apt-get dist-upgrade
- Reboot into the new Debian wheezy system, ignore if some services are broken / non-functional.
to Debian (Edu) jessie
Update /etc/apt/sources.list and individual configurations in /etc/apt/sources.list.d/, so that packages for Debian jessie will get installed with next upgrade / dist-upgrade.
Run upgrade and dist-upgrade in two steps
root@tjener:~# apt-get upgrade root@tjener:~# apt-get dist-upgrade
- Reboot into the new Debian jessie system, ignore if some services are broken / non-functional.
Possible mistakes
Don't forget the reboot into the Debian wheezy system, because you will run into troubles when upgrading the udev package from wheezy to jessie if still running the 2.6.32 Linux kernel from Debian squeeze.
Fixing the TJENER setup after package upgrade
The Debian Edu mainserver is not easily upgradable, because the mainserver installation process in Debian Edu does many modifications to the plain Debian system.
Fix UDP checksumming when on KVM (virtio_net)
If the Debian Edu mainserver TJENER runs in KVM and uses the virtio_net driver, you may want to disable checksum off-loading (see [1] and [2] for details):
auto eth0 iface eth0 inet static address 10.0.2.2 netmask 255.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1 # disable checksum off-loading pre-up ethtool -K eth0 tx off
Alternatively, use the e1000 driver / virtual NIC in KVM.
Note: Disabling checksum off-loading is especially important for machines running isc-dhcp-server, but you should consider it helpful (or switching to e1000) for all KVM instances.
Fix DNS server (bind9)
During the upgrade process, the DNS server configuration (synced into text files from LDAP) gets lost. You need to rebuild the DNS server configuration files from LDAP manually.
Add
10.0.2.2 ldap.intern
to /etc/hosts temporarily.Add
BIND_DATA="/etc/bind"
at the end of /etc/default/ldap2zone.
Rebuild the DNS configuration (in /etc/bind) via ldap2bind command:
root@tjener:~# su - bind bind@tjener:~$ PATH=/sbin:/bin:/usr/sbin:/usr/bin /usr/sbin/ldap2bind
Fix Apache2 Setup
The next step is getting the Apache2 setup fixed, so you can regain access to GOsa² installed on TJENER:
Remove dangling symlinks in /etc/apache2/sites-enabled related to Debian Edu
root@tjener:~# rm -f /etc/apache2/sites-enabled/debian-edu-*default
Create proper symlinks (having a trainling .conf in the symlink name via the a2ensite utility:
root@tjener:~# a2ensite debian-edu-default root@tjener:~# a2ensite debian-edu-ssl-default
Don't forget to restart Apache2:
root@tjener:~# invoke-rc.d apache2 restart
Fix GOsa² binding to LDAP
Once Apache2 is up-and-running again, you may want to access GOsa² to check if your LDAP tree is still in shape after upgrade (it surely will be). However, access GOsa² results in this message after a fresh squeeze to jessie Upgrade:
<b>Schwerer Fehler</b> Fehler beim Verbinden mit dem LDAP-Server: Could not bind to cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no (während der Arbeit auf LDAP-Server 'ldap://ldap.intern') Bitte beheben Sie obigen Fehler und laden die Seite neu.
Two steps are required to get this issue fixed:
Fix /etc/gosa/gosa.secrets with this command
root@tjener:~# sed -e 's/GOSA_KEY/GOSAKEY/g' -i /etc/gosa.secrets
Fix /etc/gosa/gosa.conf manually after upgrade. In your new (i.e., jessie'ish) gosa.conf file you are likely to find $GOSAPWD as adminPassword and snapshotAdminPassword values. This, of course is wrong, the $GOSAPWD variable is only used while boot-strapping the Debian Edu mainserver at installation time. Steps to get this variable replaced by the original hashed password string:
Get /etc/gosa/gosa.conf from your earlier taken configuration backup
- Search for the string "adminPassword" in the configuration and obtain the hash referenced there as a value
Replace $GOSAPWD by that hash:
root@tjener:~# sed -e 's/$GOSAPWD/<put-your-pw-hash-here/g' -i /etc/gosa/gosa.conf
Don't forget to restart Apache2 (as /etc/gosa/gosa.secrets gets pulled in into the Apache2 runtime configuration).
- Test GOsa² access:
Open this URL in your webbrowser: https://www/gosa/
- Login with any of your LDAP accounts
Update LDAP DIT for Debian Edu jessie
There are some variables ($GOSAADMINSDN64, $TEACHERSDN64, etc.) in the below LDAP diff. The "64" denotes that you need to use the base64 encoded representation of the DN. You will find those base64 encoded strings in the LDAP tree, but you can also create them manually.
$ echo "cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" | base64
Use the ldapvi tool to add the below information to the Debian Edu mainserver's LDAP tree.
diff --git a/ldap-bootstrap/autofs.ldif b/ldap-bootstrap/autofs.ldif index 9d68cbc..05fe3e0 100644 --- a/ldap-bootstrap/autofs.ldif +++ b/ldap-bootstrap/autofs.ldif @@ -40,4 +40,4 @@ ou: auto.tjener dn: cn=/,ou=auto.tjener,ou=automount,dc=skole,dc=skolelinux,dc=no objectClass: automount cn: / -automountInformation: -fstype=nfs4,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid tjener.intern:/& +automountInformation: -fstype=nfs4,sec=sys,tcp,rw,intr,hard,nodev,nosuid tjener.intern:/& diff --git a/ldap-bootstrap/gosa-server.ldif b/ldap-bootstrap/gosa-server.ldif index 102c86a..46f5098 100644 --- a/ldap-bootstrap/gosa-server.ldif +++ b/ldap-bootstrap/gosa-server.ldif @@ -6,12 +6,16 @@ ou: servers dn: cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no macAddress: $MAC +description: Main server; modify only if 100% sure. objectClass: top objectClass: GOhard objectClass: goServer objectClass: dhcpServer +objectClass: goNtpServer +objectClass: goLdapServer cn: tjener dhcpServiceDN: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no +goLdapBase: ldap://tjener:389/dc=skole,dc=skolelinux,dc=no ipHostNumber: 10.0.2.2 gotoMode: locked @@ -245,7 +249,7 @@ dhcpRange: 10.0.16.20 10.0.31.254 # subnet00.intern shared network dn: cn=subnet00.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no dhcpOption: routers ltspserver00.subnet00 -dhcpOption: domain-name "intern subnet00.intern" +dhcpOption: domain-name "intern" dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.0.255 dhcpOption: root-path "/opt/ltsp/i386" @@ -277,7 +281,7 @@ dhcpRange: 192.168.0.20 192.168.0.253 # subnet01.intern shared network dn: cn=subnet01.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no dhcpOption: routers ltspserver01.subnet01 -dhcpOption: domain-name "intern subnet01.intern" +dhcpOption: domain-name "intern" dhcpOption: subnet-mask 255.255.255.0 dhcpOption: broadcast-address 192.168.1.255 dhcpOption: root-path "/opt/ltsp/i386" diff --git a/ldap-bootstrap/gosa.ldif b/ldap-bootstrap/gosa.ldif index 41bb76f..70a5afe 100644 --- a/ldap-bootstrap/gosa.ldif +++ b/ldap-bootstrap/gosa.ldif @@ -21,6 +21,11 @@ dn: ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no objectClass: organizationalUnit ou: gosa +dn: cn=netgroupSystem,ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no +cn: netgroupSystem +objectClass: top +objectClass: gosaConfig +gosaSetting: netgroupSystemRDN:ou=netgroup ###################### Teachers ######################### @@ -191,13 +196,13 @@ dn: cn=admin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: gosaRole gosaAclTemplate: 0:psub::all;cmdrw -description: unlimited administrative permissions +description: nearly unlimited administrative permissions cn: admin-role dn: cn=jradmin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: gosaRole -gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,groups/group;cmdr#description;w#memberUid;rw +gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,users/sambaAccount;r,groups/group;cmdr#description;w#memberUid;rw description: limited administrative permissions cn: jradmin-role diff --git a/ldap-bootstrap/ltsp.ldif b/ldap-bootstrap/ltsp.ldif index 55e46f8..8fc0609 100644 --- a/ldap-bootstrap/ltsp.ldif +++ b/ldap-bootstrap/ltsp.ldif @@ -7,4 +7,4 @@ dn: cn=ltspConfigDefault,ou=ltsp,dc=skole,dc=skolelinux,dc=no objectclass: ltspClientConfig cn: ltspConfigDefault ltspConfig: NBD_SWAP=Y -ltspConfig: SCREEN_07=ldm +ltspConfig: KEEP_SYSTEM_SERVICES=lightdm diff --git a/ldap-bootstrap/root.ldif b/ldap-bootstrap/root.ldif index 2b41253..521c0ae 100644 --- a/ldap-bootstrap/root.ldif +++ b/ldap-bootstrap/root.ldif @@ -29,7 +29,7 @@ dc: skole ou: skole o: skole.skolelinux.no labeledURI: http://www/ LDAP for Debian Edu/Skolelinux -gosaAclEntry: 0:psub:$GOSAADMINSDN64:server/servgeneric;#gotoMode;r#userPassword;r#FAIstate;r,all;cmdrw +gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw gosaAclEntry: 3:role:$ADMINROLEDN64: @@ -50,6 +50,18 @@ objectClass: top objectClass: organizationalUnit ou: systems +dn: ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: workstations + +dn: ou=terminals,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: terminals + +dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no +objectClass: organizationalUnit +ou: printers + dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no objectClass: top objectClass: organizationalUnit
NSCD and Netgroups
Until Debian bug #793649 is not fixed in nscd, you have to empty the NSCD cache directory after upgrade and upgrade the NFS server afterwards:
root@tjener:~# invoke-rc.d nscd stop root@tjener:~# rm -Rf /var/cache/nscd/* root@tjener:~# invoke-rc.d nscd start root@tjener:~# invoke-rc.d nfs-kernel-server restart
Notes on Upgrading Debian Edu Clients
PAM Kerberos may be broken
On one system we encountered an issue where the file /usr/share/pam-configs/krb5 did not exist anymore after an upgrade/dist-upgrade from Debian squeeze to Debian jessie. The quick-fix for this is
root@<client>:~# apt-get install --reinstall libpam-krb5
Another issue is that cfEngine rules described in /etc/cfengine/debian-edu/cf.krb5client were not fully applied. The manual steps to (re-)apply those rules are:
root@<client>:~# ln -s /usr/share/debian-edu-config/pam-config-nopwdchange /usr/share/pam-configs/edu-nopwdchange root@<client>:~# /usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf root@<client>:~# /usr/sbin/pam-auth-update --package