= Upgrade des Debian Edu Haupt-Servers (TJENER) von Debian Edu squeeze nach Debian Edu jessie =

<<TableOfContents(3)>>

== Services on TJENER ==

The following services / features on TJENER must be functional:

  * LDAP
  * Apache2
    * GOsa²
    * Nagios3
    * Munin
  * DNS
  * DHCP
  * Samba
  * Squid3
  * Debian PXE Installer
  * Exim4
    * lokale Mailzustellung von TJENER an TJENER
    * Netzwerk-Mailzustellung von Edu Clients an TJENER
  * Dovecot
    * Zugriff via Mail-Client (IMAPS)
  * ...

== Preparations ==

  * Perform a manual dump of your LDAP database (in case things fail on the way):{{{
root@tjener:~# slapcat > /root/slapcat-$(date +%Y%m%d%H%M%S).ldif
}}}
  * Backup the complete TJENER system (so that you can completely restore the old state from backup, if needed).
  * Backup the {{{/etc/}}} configuration files and have them at hand when fixing various service settings once packages have been upgraded to Debian jessie state.

== Package Upgrades ==

=== to Debian (Edu) wheezy ===

  * Update {{{/etc/apt/sources.list}}} and individual configurations in {{{/etc/apt/sources.list.d/}}}, so that packages for Debian wheezy will get installed with next upgrade / dist-upgrade.
  * Run upgrade and dist-upgrade in two steps{{{
root@tjener:~# apt-get upgrade
root@tjener:~# apt-get dist-upgrade
}}}

  * Reboot into the new Debian wheezy system, ignore if some services are broken / non-functional.

=== to Debian (Edu) jessie ===

  * Update {{{/etc/apt/sources.list}}} and individual configurations in {{{/etc/apt/sources.list.d/}}}, so that packages for Debian jessie will get installed with next upgrade / dist-upgrade.
  * Run upgrade and dist-upgrade in two steps{{{
root@tjener:~# apt-get upgrade
root@tjener:~# apt-get dist-upgrade
}}}

  * Reboot into the new Debian jessie system, ignore if some services are broken / non-functional.

=== Possible mistakes ===

  * Don't forget the reboot into the Debian wheezy system, because you will run into troubles when upgrading the {{{udev}}} package from wheezy to jessie if still running the 2.6.32 Linux kernel from Debian squeeze.

=== Update command-not-found database ===

Make sure that the command-not-found tool is aware of commands/applications available in Debian jessie:{{{
root@tjener:~# update-command-not-found
}}}

== Fixing the TJENER setup after package upgrade ==

The Debian Edu mainserver is not easily upgradable, because the mainserver installation process in Debian Edu does many modifications to the plain Debian system.

=== Fix UDP checksumming when on KVM (virtio_net) ===

If the Debian Edu mainserver TJENER runs in KVM and uses the {{{virtio_net}}} driver, you may want to disable checksum off-loading (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717215|[1]]] and [[https://forge.univention.org/bugzilla/show_bug.cgi?id=33160|[2]]] for details):{{{
auto eth0
iface eth0 inet static
    address 10.0.2.2
    netmask 255.0.0.0
    broadcast 10.255.255.255
    gateway 10.0.0.1
    # disable checksum off-loading
    pre-up ethtool -K eth0 tx off

}}}

Alternatively, use the e1000 driver / virtual NIC in KVM.

'''Note:''' Disabling checksum off-loading is especially important for machines running {{{isc-dhcp-server}}}, but you should consider it helpful (or switching to e1000) for all KVM instances.

=== Fix DNS server (bind9) ===

During the upgrade process, the DNS server configuration (synced into text files from LDAP) gets lost. You need to rebuild the DNS server configuration files from LDAP manually.

  * Add{{{
10.0.2.2 ldap.intern}}}to /etc/hosts temporarily.
  * Add{{{
BIND_DATA="/etc/bind"}}}at the end of {{{/etc/default/ldap2zone}}}.
  * Rebuild the DNS configuration (in {{{/etc/bind}}}) via {{{ldap2bind}}} command:{{{
root@tjener:~# su -s /bin/bash - bind
bind@tjener:~$ PATH=/sbin:/bin:/usr/sbin:/usr/bin /usr/sbin/ldap2bind
}}}


=== Fix Apache2 Setup ===

The next step is getting the Apache2 setup fixed, so you can regain access to GOsa² installed on TJENER:

  * Remove dangling symlinks in {{{/etc/apache2/sites-enabled}}} related to Debian Edu{{{
root@tjener:~# rm -f /etc/apache2/sites-enabled/debian-edu-*default
}}}
  * Create proper symlinks (having a trainling {{{.conf}}} in the symlink name via the {{{a2ensite}}} utility:{{{
root@tjener:~# a2ensite debian-edu-default
root@tjener:~# a2ensite debian-edu-ssl-default
}}}
  * Don't forget to restart Apache2:{{{
root@tjener:~# invoke-rc.d apache2 restart
}}}

=== Fix GOsa² binding to LDAP ===

Once Apache2 is up-and-running again, you may want to access GOsa² to check if your LDAP tree is still in shape after upgrade (it surely will be). However, access GOsa² results in this message after a fresh squeeze to jessie Upgrade: 

{{{
<b>Schwerer Fehler</b>
Fehler beim Verbinden mit dem LDAP-Server: Could not bind to cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no (während der Arbeit auf LDAP-Server 'ldap://ldap.intern')

Bitte beheben Sie obigen Fehler und laden die Seite neu. 
}}}

Two steps are required to get this issue fixed:

  * Fix {{{/etc/gosa/gosa.secrets}}} with this command{{{
root@tjener:~# sed -e 's/GOSA_KEY/GOSAKEY/g' -i /etc/gosa/gosa.secrets
}}}
  * Fix {{{/etc/gosa/gosa.conf}}} manually after upgrade. In your new (i.e., jessie'ish) {{{gosa.conf}}} file you are likely to find {{{$GOSAPWD}}} as {{{adminPassword}}} and {{{snapshotAdminPassword}}} values. This, of course is wrong, the {{{$GOSAPWD}}} variable is only used while boot-strapping the Debian Edu mainserver at installation time. Steps to get this variable replaced by the original hashed password string:
    * Get {{{/etc/gosa/gosa.conf}}} from your earlier taken configuration backup
    * Search for the string "adminPassword" in the configuration and obtain the hash referenced there as a value
    * Replace {{{$GOSAPWD}}} by that hash:{{{
root@tjener:~# sed -e 's/$GOSAPWD/<put-your-pw-hash-here/g' -i /etc/gosa/gosa.conf
}}}
  * Don't forget to restart Apache2 (as {{{/etc/gosa/gosa.secrets}}} gets pulled in into the Apache2 runtime configuration).
  * Test GOsa² access:
    * Open this URL in your webbrowser: {{{https://www/gosa/}}}
    * Login with any of your LDAP accounts

=== Upgrade GOsa²'s configuration file for GOsa 2.7.3 ===

The GOsa configuration file for a Debian Edu jessie main server has change a bit compared to GOsa on a Debian Edu mainserver based on Debian squeeze. The below changes have to manually be worked into {{{/etc/gosa/gosa.conf}}}:

{{{
root@tjener:/etc/gosa# etckeeper vcs diff
diff --git a/gosa/gosa.conf b/gosa/gosa.conf
index f1dee8c..4aa3361 100644
--- a/gosa/gosa.conf
+++ b/gosa/gosa.conf
@@ -31,61 +31,51 @@
    -->
   <menu>
 
-    <!-- Section to enable quick self service shortcuts for the logged in user -->
-    <section name="My account">
-      <plugin acl="users/user:self" class="user"/>
-      <plugin acl="users/posixAccount:self" class="posixAccount" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-create %uid" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-remove %uid %homeDirectory"/>             
-      <plugin acl="users/environment:self" class="environment"/>
-      <plugin acl="users/mailAccount:self" class="mailAccount"/> 
-      <plugin acl="users/sambaAccount:self" class="sambaAccount"/>
-      <plugin acl="users/netatalk:self" class="netatalk"/>
-      <plugin acl="users/connectivity:self" class="connectivity"/>
-      <plugin acl="users/gofaxAccount:self" class="gofaxAccount"/>
-      <plugin acl="users/phoneAccount:self" class="phoneAccount"/>
-      <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/>
-      <plugin acl="users/scalixAccount:self" class="scalixAccount"/>
-      <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
-    </section>
-
     <!-- Section to enable administrative services -->
     <section name="Administration">
       <plugin acl="department" class="departmentManagement"/>
-      <plugin acl="users" class="userManagement"/>
+      <plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
+                           class="userManagement"/>
       <plugin acl="groups" class="groupManagement"/>
+      <plugin acl="roles" class="roleManagement"/>
+      <plugin acl="acl"  class="aclManagement" />
+      <plugin acl="ogroups" class="ogroupManagement" />
+      <plugin acl="sudo" class="sudoManagement" />
+      <plugin acl="netgroup" class="netgroupManagement" />
       <plugin acl="terminal/termgeneric,workstation/workgeneric,server/servgeneric,phone/phoneGeneric,printer/printgeneric,component/componentGeneric,winworkstation/wingeneric,opsi/opsiGeneric" class="systemManagement"/>
       <!-- Use 'lockDn'      for dn
                'lockName'    for name
                'lockType'    for branch/freeze -->
-      <plugin acl="netgroup" class="netgroupManagement"/>
-      <plugin acl="sudo" class="sudoManagement"/>
-      <plugin acl="roles" class="roleManagement"/>
-      <plugin acl="ogroups" class="ogroupManagement"/>
-      <plugin acl="application" class="applicationManagement"/>
-      <plugin acl="mimetypes" class="mimetypeManagement"/>
-      <plugin acl="devices" class="deviceManagement"/>
       <plugin acl="fai/faiScript,fai/faiHook,fai/faiTemplate,fai/faiVariable,fai/faiPartitionTable,fai/faiPackage,fai/faiProfile,fai/faiManagement,opsi/opsiProperties" class="faiManagement"/>
       <plugin acl="opsi" class="opsiLicenses"/>
       <plugin acl="gofaxlist" class="blocklist"/>
       <plugin acl="gofonmacro" class="goFonMacro"/>
       <plugin acl="gofonconference" class="phoneConferenceManagment"/>
-      <plugin acl="acl" class="aclManagement"/>
     </section>
 
     <!-- Section to enable addon plugins -->
     <section name="Addons">
-      <plugin acl="server/rSyslogServer" class="rsyslog"/>
-    <!--  <plugin acl="server/servservrepository,server/dakrepository,server/dakkeyring,server/dakqueue" class="dak_tabs" path="plugins/addons/dak" /> -->
-      <plugin acl="addressbook" class="addressbook"/>
-      <plugin acl="mailqueue" class="mailqueue"/>
-      <plugin acl="faxreport/faxreport:self,faxreport" class="faxreport"/>
-      <plugin acl="fonreport/fonreport:self,fonreport" class="fonreport"/>
-      <plugin acl="gotomasses" class="gotomasses"/>
+       <plugin acl="all/all"  class="propertyEditor" />
+       <plugin acl="server/rSyslogServer" class="rsyslog" />
+ <!--      <plugin acl="mailqueue" class="mailqueue" />-->
+      <plugin acl="users/viewFaxEntries:self,users/viewFaxEntries" class="faxreport" />
+      <plugin acl="users/viewFonEntries:self,users/viewFonEntries" class="fonreport" />
       <plugin acl="ldapmanager" class="ldif"/>
       <plugin acl="pwreset" class="pwreset"/>
     </section>
   </menu>
 
+  <!-- These entries will be rendered on the short-cut menu -->
+  <shortCutMenu>
+      <plugin acl="none" class="welcome" />
+  </shortCutMenu>
 
+  <!-- These entries will be rendered on the path navigator -->
+  <pathMenu>
+      <plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
+      <plugin acl="users/password:self" class="password" 
+              postmodify="USERPASSWORD=%new_password /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+  </pathMenu>
 
   <!-- Tab definitions *******************************************************
 
@@ -111,19 +101,26 @@
   <!-- User dialog -->
   <usertabs>
      <tab class="user" name="Generic"/>
-     <tab class="posixAccount" name="Unix"/>
-     <tab class="environment" name="Environment"/>
-     <tab class="mailAccount" name="Mail"/>
+     <tab class="posixAccount" name="Unix"
+          postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-create %uid"
+          postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-remove %uid %homeDirectory" />
      <tab class="sambaAccount" name="Samba"/>
-     <tab class="netgroupAccount" name="NIS Netgroup"/>
+     <tab class="mailAccount" name="Mail"/>
+<!--     <tab class="Groupware" name="Groupware" />-->
+     <tab class="scalixAccount" name="Scalix" />
      <tab class="netatalk" name="Netatalk"/>
      <tab class="connectivity" name="Connectivity"/>
      <tab class="gofaxAccount" name="Fax"/>
      <tab class="phoneAccount" name="Phone"/>
-     <tab class="scalixAccount" name="Scalix"/>
      <tab class="nagiosAccount" name="Nagios"/> 
    </usertabs>
 
+  <!-- User dialog -->
+  <MyAccountTabs>
+     <tab class="user" name="Generic" />
+     <tab class="posixAccount" name="POSIX" />
+  </MyAccountTabs>
+
   <opsiLicenseTabs>
     <tab class="licensePoolGeneric" name="Generic"/>
     <tab class="licenseUsage" name="Usage"/>
@@ -132,9 +129,9 @@
   <!-- Group dialog -->
   <grouptabs>
     <tab class="group" name="Generic"/>
-    <tab class="environment" name="Environment"/>
-    <tab class="appgroup" name="Applications"/>
+    <tab class="appgroup" name="Startmenu" />
     <tab class="mailgroup" name="Mail"/>
++<!--    <tab class="GroupwareSharedFolder" name="Groupware" />-->
   </grouptabs>
 
   <!-- Sudo dialog -->
@@ -160,13 +157,12 @@
 
   <phonetabs>
     <tab class="phoneGeneric" name="Generic"/>
-    <!-- <tab class="glpiAccount" name="Inventory" /> -->
   </phonetabs>
 
   <!-- GOto plugins -->
   <appstabs>
     <tab class="application" name="Generic"/>
-    <tab class="applicationParameters" name="Options"/>
+    <tab class="applicationParameters" name="Parameter"/>
   </appstabs>
 
   <mimetabs>
@@ -183,62 +179,44 @@
 
   <termtabs>
      <tab class="termgeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
-     <tab class="termstartup" name="Startup"/>
-     <tab class="termservice" name="Devices"/>
-     <tab class="terminfo" name="Information" snmpCommunity="goto"/>
-     <!--<tab class="glpiAccount" name="Inventory" /> -->
+     <tab class="netgroupSystem" name="NIS Netgroup"/>
   </termtabs>
 
   <servtabs>
      <tab class="servgeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
-     <tab class="workstartup" name="Startup"/>
      <tab class="ServerService" name="Services"/>
-     <tab class="faiSummaryTab" name="Deployment summary"/>
-     <tab class="gotoLogView" name="Installation logs"/>
-     <tab class="terminfo" name="Information" snmpCommunity="goto"/>
      <tab class="netgroupSystem" name="NIS Netgroup"/>
      <!-- <tab class="glpiAccount" name="Inventory" /> -->
   </servtabs>
 
   <worktabs>
      <tab class="workgeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
-     <tab class="workstartup" name="Startup"/>
-     <tab class="workservice" name="Devices"/>
-     <tab class="printgeneric" name="Printer"/>
-     <tab class="terminfo" name="Information" snmpCommunity="goto"/>
-     <tab class="faiSummaryTab" name="Deployment summary"/>
-     <tab class="gotoLogView" name="Installation logs"/>
      <tab class="netgroupSystem" name="NIS Netgroup"/>
-     <!-- <tab class="glpiAccount" name="Inventory" /> -->
   </worktabs>
 
   <printtabs>
-     <tab class="printgeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
-     <!-- <tab class="glpiPrinterAccount" name="Inventory" /> -->
+     <tab class="printgeneric" name="Generic" />
   </printtabs>
 
   <componenttabs>
      <tab class="componentGeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
      <tab class="netgroupSystem" name="NIS Netgroup"/>
-     <!-- <tab class="glpiAccount" name="Inventory" /> -->
   </componenttabs>
 
   <wintabs>
      <tab class="wingeneric" name="Generic" postcreate="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postremove="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs" postmodify="/usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync-dns-nfs"/>
      <tab class="netgroupSystem" name="NIS Netgroup"/>
-     <!-- <tab class="glpiAccount" name="Inventory" /> -->
   </wintabs>
 
   <serverservice>
     <tab class="goMailServer"/>
-    <!-- <tab class="servkolab" /> -->
+    <tab class="servkolab" />
     <tab class="goNtpServer"/>
     <tab class="servrepository"/>
     <tab class="goImapServer"/>
     <tab class="goKrbServer"/>
     <tab class="goFaxServer"/>
     <tab class="goFonServer"/>
-    <tab class="goGlpiServer"/>
     <tab class="goCupsServer"/>
     <tab class="goKioskService"/>
     <tab class="goTerminalServer"/>
@@ -285,33 +263,18 @@
     <tab class="ogroup" name="Generic"/>
   </ogrouptabs>
 
-  <!-- Debian archive management plugin -->
-  <!--
-  <dak_tabs>
-    <tab class="dakrepository" name="Repository" />
-    <tab class="dakqueue" name="Queue" />
-    <tab class="dakkeyring" name="Key ring" />
-  </dak_tabs>
-  -->
-
   <!-- Connectivity plugins -->
   <connectivity>
-<!-- <tab class='kolabAccount' /> -->
+    <tab class='kolabAccount' />
     <tab class="proxyAccount"/>
     <tab class="pureftpdAccount"/>
     <tab class="webdavAccount"/>
     <tab class="phpgwAccount"/>
     <tab class="intranetAccount"/>
-    <!--
-    <tab class="opengwAccount"
-      username="OGo"
-      password=""
-      database="OGo"
-      databaseServer="localhost" />
-    -->
     <tab class="pptpAccount"/> 
     <tab class="phpscheduleitAccount"/> 
     <tab class="oxchangeAccount"/>
+    <tab class="opengwAccount" />
   </connectivity>
 
   <ldiftab>
@@ -355,25 +318,25 @@
   </faipackagetabs>
 
   <opsitabs>
-    <tab class="opsiGeneric" name="Opsi"/>
-    <tab class="opsiSoftware" name="Hardware information"/>
-    <tab class="opsiHardware" name="software information"/>
-    <tab class="licenseUsageByHost" name="Usage"/>
+    <tab class="opsiGeneric" name="Opsi" />
+    <tab class="opsiSoftware" name="Hardware" />
+    <tab class="opsiHardware" name="Software" />
+    <tab class="licenseUsageByHost" name="License usage" />
   </opsitabs>
 
   <opsiprodconfig>
-    <tab class="opsiProperties" name="Config"/>
-    <tab class="licenseByProduct" name="Usage"/>
+    <tab class="opsiProperties" name="Properties" />
+    <tab class="licenseByProduct" name="LIcense usage" />
   </opsiprodconfig>
 
   <!-- rSyslog plugin -->
   <rsyslogtabs>
-    <tab class="rsyslog" name="System logs"/>
+    <tab class="rsyslog" name="System logs" />
   </rsyslogtabs>
 
   <!-- Netgroup dialog -->
   <netgrouptabs>
-    <tab class="netgroup" name="Generic"/>
+    <tab class="netgroup" name="Generic" />
   </netgrouptabs>
 
   <!-- Main section **********************************************************
}}}

=== Install missing GOsa² packages ===

On one migration we had to post-upgrade install the package {{{gosa-plugin-goto}}}, on another upgrade {{{gosa-plugin-netgroups}}} as missing:{{{
root@tjener:~# apt-get install gosa-plugin-goto
root@tjener:~# apt-get install gosa-plugin-netgroups
}}}


=== (Re-)Enable GOsa² Apache2 configuration ===

It may happen that GOsa²'s Apache2 configuration is not enabled anymore after dist-upgrade (observed during the step from wheezy to jessie). Re-enabling is simple:{{{
root@tjener:~# a2enconf gosa && invoke-rc.d apache2 restart
}}}

=== Set magic gosa.conf Version String ===

After some upgrades of the package {{{gosa}}} the following can be observed: If the package maintainer has modified the default {{{gosa.conf}}} file shipped with the gosa package, a site admin will see this warning message when logging into GOsa after the upgrade: ''The configuration file you are using is outdated. Please move the GOsa configuration file away to run the GOsa setup again.'' (German: ''Die von Ihnen verwendete Konfigurationsdatei scheint veraltet zu sein. Bitte entfernen Sie diese Datei und starten Sie das GOsa-Setup erneut'').

This can and should be fixed by setting a magic version hash in {{{/etc/gosa/gosa.conf}}}:
{{{
root@tjener:/etc/gosa# diff -ur /etc/gosa/gosa.conf.orig /etc/gosa/gosa.conf
--- /etc/gosa/gosa.conf.orig	2015-10-31 09:46:14.000000000 +0100
+++ /etc/gosa/gosa.conf	2015-10-31 09:46:28.000000000 +0100
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<conf configVersion="0e16844ac91297ffc1dee2f0f65ef2af">
+<conf configVersion="Managed-by-Debian-Edu">
 
   <!-- GOsa menu definition **************************************************
 
}}}

=== (Re-)Enable SLBackup Apache2 configuration ===

It may happen that SLBackup's Apache2 configuration is not enabled anymore after dist-upgrade (observed during the step from wheezy to jessie). Re-enabling is simple:{{{
root@tjener:~# a2enconf slbackup-php && invoke-rc.d apache2 restart
}}}

=== Reactivate libpam-krb5 configuration ===

By some reason, the pam_krb5.so configuration is not active anymore after upgrade from wheezy to jessie. Simplest way for re-enabling it:{{{
root@tjener:~# apt-get install --reinstall libpam-krb5
}}}



=== Update LDAP DIT for Debian Edu jessie ===

There are some variables ($GOSAADMINSDN64, $TEACHERSDN64, etc.) in the below LDAP diff. The "64" denotes that you need to use the base64 encoded representation of the DN. You will find those base64 encoded strings in the LDAP tree, but you can also create them manually.{{{
$ echo "cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no" | base64
}}} 

Use the {{{ldapvi}}} tool to add the below information to the Debian Edu mainserver's LDAP tree. {{{
diff --git a/ldap-bootstrap/autofs.ldif b/ldap-bootstrap/autofs.ldif
index 9d68cbc..05fe3e0 100644
--- a/ldap-bootstrap/autofs.ldif
+++ b/ldap-bootstrap/autofs.ldif
@@ -40,4 +40,4 @@ ou: auto.tjener
 dn: cn=/,ou=auto.tjener,ou=automount,dc=skole,dc=skolelinux,dc=no
 objectClass: automount
 cn: /
-automountInformation: -fstype=nfs4,tcp,rsize=32768,wsize=32768,rw,intr,hard,nodev,nosuid tjener.intern:/&
+automountInformation: -fstype=nfs4,sec=sys,tcp,rw,intr,hard,nodev,nosuid tjener.intern:/&
diff --git a/ldap-bootstrap/gosa-server.ldif b/ldap-bootstrap/gosa-server.ldif
index 102c86a..46f5098 100644
--- a/ldap-bootstrap/gosa-server.ldif
+++ b/ldap-bootstrap/gosa-server.ldif
@@ -6,12 +6,16 @@ ou: servers
 
 dn: cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no
 macAddress: $MAC
+description: Main server; modify only if 100% sure.
 objectClass: top
 objectClass: GOhard
 objectClass: goServer
 objectClass: dhcpServer
+objectClass: goNtpServer
+objectClass: goLdapServer
 cn: tjener
 dhcpServiceDN: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no
+goLdapBase: ldap://tjener:389/dc=skole,dc=skolelinux,dc=no
 ipHostNumber: 10.0.2.2
 gotoMode: locked
 
@@ -245,7 +249,7 @@ dhcpRange: 10.0.16.20 10.0.31.254
 # subnet00.intern shared network
 dn: cn=subnet00.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no
 dhcpOption: routers ltspserver00.subnet00
-dhcpOption: domain-name "intern subnet00.intern"
+dhcpOption: domain-name "intern"
 dhcpOption: subnet-mask 255.255.255.0
 dhcpOption: broadcast-address 192.168.0.255
 dhcpOption: root-path "/opt/ltsp/i386"
@@ -277,7 +281,7 @@ dhcpRange: 192.168.0.20 192.168.0.253
 # subnet01.intern shared network
 dn: cn=subnet01.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no
 dhcpOption: routers ltspserver01.subnet01
-dhcpOption: domain-name "intern subnet01.intern"
+dhcpOption: domain-name "intern"
 dhcpOption: subnet-mask 255.255.255.0
 dhcpOption: broadcast-address 192.168.1.255
 dhcpOption: root-path "/opt/ltsp/i386"
diff --git a/ldap-bootstrap/gosa.ldif b/ldap-bootstrap/gosa.ldif
index 41bb76f..70a5afe 100644
--- a/ldap-bootstrap/gosa.ldif
+++ b/ldap-bootstrap/gosa.ldif
@@ -21,6 +21,11 @@ dn: ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no
 objectClass: organizationalUnit
 ou: gosa
 
+dn: cn=netgroupSystem,ou=gosa,ou=configs,ou=systems,dc=skole,dc=skolelinux,dc=no
+cn: netgroupSystem
+objectClass: top
+objectClass: gosaConfig
+gosaSetting: netgroupSystemRDN:ou=netgroup
 ###################### Teachers #########################
 
@@ -191,13 +196,13 @@ dn: cn=admin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: gosaRole
 gosaAclTemplate: 0:psub::all;cmdrw
-description: unlimited administrative permissions
+description: nearly unlimited administrative permissions
 cn: admin-role
 
 dn: cn=jradmin-role,ou=aclroles,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: gosaRole
-gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,groups/group;cmdr#description;w#memberUid;rw
+gosaAclTemplate: 0:sub::users/user;cmdrw,users/password;rw,users/posixAccount;r,users/sambaAccount;r,groups/group;cmdr#description;w#memberUid;rw
 description: limited administrative permissions
 cn: jradmin-role
 
diff --git a/ldap-bootstrap/ltsp.ldif b/ldap-bootstrap/ltsp.ldif
index 55e46f8..8fc0609 100644
--- a/ldap-bootstrap/ltsp.ldif
+++ b/ldap-bootstrap/ltsp.ldif
@@ -7,4 +7,4 @@ dn: cn=ltspConfigDefault,ou=ltsp,dc=skole,dc=skolelinux,dc=no
 objectclass: ltspClientConfig
 cn: ltspConfigDefault
 ltspConfig: NBD_SWAP=Y
-ltspConfig: SCREEN_07=ldm
+ltspConfig: KEEP_SYSTEM_SERVICES=lightdm
diff --git a/ldap-bootstrap/root.ldif b/ldap-bootstrap/root.ldif
index 2b41253..521c0ae 100644
--- a/ldap-bootstrap/root.ldif
+++ b/ldap-bootstrap/root.ldif
@@ -29,7 +29,7 @@ dc: skole
 ou: skole
 o: skole.skolelinux.no
 labeledURI: http://www/ LDAP for Debian Edu/Skolelinux
-gosaAclEntry: 0:psub:$GOSAADMINSDN64:server/servgeneric;#gotoMode;r#userPassword;r#FAIstate;r,all;cmdrw
+gosaAclEntry: 0:psub:$GOSAADMINSDN64:all;cmdrw,department/department;cmdrw,department/domain;r,department/organization;r,department/dcObject;r,department/country;r,department/DynamicLdapGroup;r,users/posixAccount;#shadowLastChange;r#gotoLastSystemLogin;r#mustchangepassword;r#shadowMin;r#shadowMax;r#shadowWarning;r#shadowInactive;r#shadowExpire;r#sshPublicKey;r#accessTo;r,users/sambaAccount;#AllowLoginOnTerminalServer;r#InheritClientConfig;r#sambaKickoffTime;r#enforcePasswordChange;r#cannotChangePassword;r#noPasswordRequired;r#passwordNeverExpires;r#temporaryDisabled;r#sambaLogonHours;r#sambaUserWorkstations;r
 gosaAclEntry: 1:psub:$TEACHERSDN64:users/user;r
 gosaAclEntry: 2:psub:Kg==:users/user;sr#personalTitle;w#academicTitle;w#dateOfBirth;w#gender;w#preferredLanguage;w#userPicture;w#homePostalAddress;w#homePhone;w#labeledURI;w,users/password;srw
 gosaAclEntry: 3:role:$ADMINROLEDN64:
@@ -50,6 +50,18 @@ objectClass: top
 objectClass: organizationalUnit
 ou: systems
 
+dn: ou=workstations,ou=systems,dc=skole,dc=skolelinux,dc=no
+objectClass: organizationalUnit
+ou: workstations
+
+dn: ou=terminals,ou=systems,dc=skole,dc=skolelinux,dc=no
+objectClass: organizationalUnit
+ou: terminals
+
+dn: ou=printers,ou=systems,dc=skole,dc=skolelinux,dc=no
+objectClass: organizationalUnit
+ou: printers
+
 dn: ou=winstations,ou=systems,dc=skole,dc=skolelinux,dc=no
 objectClass: top
 objectClass: organizationalUnit
}}}

=== NSCD and Netgroups ===

Until Debian bugs [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793649|#793649]], [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800523|#800523]] and [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737079|#737079]]are not fixed in NSCD, we have to disabled netgroup caching via NSCD completely:{{{
}}}

{{{
root@tjener:~# diff -u /etc/nscd.conf.orig  /etc/nscd.conf
--- /etc/nscd.conf.orig	2015-10-31 08:34:23.000000000 +0100
+++ /etc/nscd.conf	2015-10-31 08:34:38.000000000 +0100
@@ -78,7 +78,7 @@
 	shared			services	yes
 	max-db-size		services	33554432
 
-	enable-cache		netgroup	yes
+	enable-cache		netgroup	no	
 	positive-time-to-live	netgroup	28800
 	negative-time-to-live	netgroup	20
 	suggested-size		netgroup	211
}}}

Then restart NSCD and remove the stray netgroup cache file:

{{{
root@tjener:~# invoke-rc.d nscd restart
root@tjener:~# rm -f /var/cache/nscd/netgroup
}}}

=== Fix PXE Netinstall ===

On a Debian Edu network, you can install other Debian Edu machines via the Debian Edu main server by simply PXE booting a new machine.

Steps to get PXE Netinstall updated to Debian Edu jessie 8:

  1. Clean-up old Debian Installer versions:{{{
# Debian Installer for Debian 7 (aka wheezy)
root@tjener:~# apt-get remove --purge debian-installer-7.0-netboot-amd64 debian-installer-7.0-netboot-i386
# Debian Installer for Debian 6 (aka squeeze) and before
root@tjener:~# apt-get remove --purge debian-installer-6.0-netboot-amd64 debian-installer-6.0-netboot-i386
}}}The APT utility is likely to report about not being able to remove some of the package directories. This is caused by non-package files (e.g. initrd.gz backups) still remaining in those dirs. If that happens, remove those files and dirs manually.
  1. Install the Debian Installer Netboot packages:{{{
root@tjener:~# apt-get install debian-installer-8-netboot-amd64 debian-installer-8-netboot-i386
}}}
  1. Run the Debian Edu PXE Installer script:{{{
root@tjener:~# debian-edu-pxeinstall
}}}
  1. Add non-free firmwares to your PXE based Debian Edu Installer:{{{
root@tjener:~# /usr/share/debian-edu-config/tools/pxe-addfirmware
}}}

=== Switch over to Squid3 ===

In Debian Edu jessie, using the Squid http proxy server version 2 is deprecated. Instead, Squid version 3 gets used. We need to switch over to Debian package squid3 properly to make the upgraded main server resemble a freshly installed Debian Edu jessie main server:

  * Install package {{{squid3}}} first (while you still have a running {{{squid}}} (version 2) and stop it immediately:{{{
root@tjener:~# apt-get install squid3
root@tjener:~# invoke-rc.d squid3 stop
}}}
  * Now also stop the Squid v2 proxy server:{{{
root@tjener:~# invoke-rc.d squid stop
}}}
  * Empty and unmount /var/spool/squid/:{{{
root@tjener:~# rm -Rf /var/spool/squid/*
root@tjener:~# umount /var/spool/squid/
}}}
  * Rename the underlying logical volume:{{{
root@tjener:~# lvrename /dev/vg_system/var+spool+squid /dev/vg_system/var+spool+squid3
}}}
  * Check that {{{/var/spool/squid3/}}} is (still) empty and mount the above logical volume to that directory:{{{
root@tjener:~# mount /dev/vg_system/var+spool+squid3 /var/spool/squid3
}}} Don't forget to adapt {{{/etc/fstab}}} accordingly.:
  * Copy Debian Edu's {{{squid.conf}}} into the {{{/etc/squid3/}}} folder:{{{
root@tjener:~# install -T -o root -g root -m 0644 /usr/share/debian-edu-config/squid3.conf /etc/squid3/squid-debian-edu.conf
}}}
  * Tell Squid v3 to use the Debian Edu provided configuration file by creating {{{/etc/default/squid3}}} by putting the below lines into that file: {{{
CONFIG=/etc/squid3/squid-debian-edu.conf
SQUID_ARGS="-YC -f /etc/squid3/squid-debian-edu.conf"
}}}
  * Make Squid v3 use 80% of the underlying spooling file systems:{{{
root@tjener:~# /usr/share/debian-edu-config/tools/squid-update-cachedir /etc/squid3/squid-debian-edu.conf
}}}
  * Update system environment to the latest {{{wpad.dat}}} settings:{{{
root@tjener:~# /usr/share/debian-edu-config/tools/update-proxy-from-wpad /etc/debian-edu/www/wpad.dat
}}}

  * Fully uninstall/purge the old Squid (v2) from the system:{{{
root@tjener:~# apt-get remove --purge squid
}}}


=== Fixing CUPS ===

==== Using Debian Edu's CUPS configuration file ====

You have to assure that Debian Edu's CUPS main configuration file gets used:{{{
root@tjener:~# cd /etc/cups
root@tjener:~# mv cupsd.conf cupsd.conf.bak
root@tjener:~# ln -s cupsd-debian-edu.conf cupsd.conf
}}}

'''Note:''' If you have performed changes on Debian Edu's default cupsd-debian-edu.conf file, you may have to work-in those changes again (see: {{{/etc/cups/cupsd-debian-edu.conf.dpkg-old}}} or your backups for reference).

==== Allowing Debian Edu machines to browse CUPS daemon ====

The CUPS browsing is handled by the package {{{cups-browsed}}. We observed distribution upgrades from squeeze to jessie where the {{{cups-browsed}}} package was not installed after dist-upgrade. In such cases, install {{{cups-browsed}}} manually now:

{{{
root@tjener:~# apt-get install cups-browsed
}}}

Furthermore, you need package {{{libnss-mdns}}} installed for printer auto-discovery to work on multicast capable networks:

{{{
root@tjener:~# apt-get install libnss-mdns
}}}

CUPS in Debian jessie runs the browse daemon in a seprate process ({{{cups-browsed}}}). That daemon has its own configuration file ({{{/etc/cups/cups-browsed.conf}}}. Make sure that clients on the Debian Edu subnet can browse your print server's CUPS daemon by adding{{{
BrowseAllow 10.0.0.0/8
}}} to that configuration file.

If clients still cannot see the print server's printing devices, there may be issues on the client-side (e.g., package {{{libnss-mdns}}} is not installed there). Please see below.

=== Fixing TJENER's mail system ===

==== Allow relaying for hosts on the 10/8 network ====

Until Debian bug [[http://bugs.debian.org/794602|#794602]] has been fixed in the Debian package archives, this change needs to be applied manually for Exim4 mail relaying to work correctly:

{{{
root@tjener:/etc/exim4# diff -ur exim-ldap-server-v4.conf.orig exim-ldap-server-v4.conf
--- exim-ldap-server-v4.conf.orig	2015-10-31 10:01:27.000000000 +0100
+++ exim-ldap-server-v4.conf	2015-10-31 10:01:52.000000000 +0100
@@ -188,6 +188,8 @@
   # Exim 3 had no checking on -bs messages, so for compatibility
   # we accept if the source is local SMTP (i.e. not over TCP/IP).
   # We do this by testing for an empty sending host field.
+  accept  hosts = :
+  accept  hosts = +relay_hosts
 
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
@@ -197,9 +199,7 @@
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part@INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
-  accept  hosts = :
   accept  domains = +local_domains
-  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
}}}


= Notes on Upgrading Debian Edu Clients =

== PAM Kerberos may be broken ==

On one system we encountered an issue where the file {{{/usr/share/pam-configs/krb5}}} did not exist anymore after an upgrade/dist-upgrade from Debian squeeze to Debian jessie. The quick-fix for this is{{{
root@<client>:~# apt-get install --reinstall libpam-krb5
}}}

Another issue is that cfEngine rules described in {{{/etc/cfengine/debian-edu/cf.krb5client}}} were not fully applied. The manual steps to (re-)apply those rules are:{{{
root@<client>:~# ln -s /usr/share/debian-edu-config/pam-config-nopwdchange /usr/share/pam-configs/edu-nopwdchange
root@<client>:~# /usr/share/debian-edu-config/tools/sssd-generate-config -k > /etc/krb5.conf
root@<client>:~# /usr/sbin/pam-auth-update --package
}}}

'''Warning''': Never run {{{/usr/share/debian-edu-config/tools/sssd-generate-config}}} on the Debian Edu main server.

== CUPS Browsing ==

Please make sure that the packages {{{cups-browsed}}} and {{{libnss-mdns}}} are installed.{{{
root@<client>:~# apt-get install cups-browsed libnss-mdns
}}}
After a little delay, all printers hosted on the Debian Edu print server (by default, this is {{{tjener.intern}}}) should appear under this browser URL on your client machine:{{{
http://localhost:631
}}}

If this is not the case, you could try this work-around: 

  * Log into GOsa² and add a CNAME DNS alias to {{{tjener.intern}}}, named {{{ipp.intern}}}.
  * Work-around on non-multicast capable networks: Add {{{
BrowsePoll ipp.intern
}}} to {{{/etc/cups/cups-browsed.conf}}}.

= References =

  * [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717215
  * [2] https://forge.univention.org/bugzilla/show_bug.cgi?id=33160