Skolelinux autoconfig system
============================

Uses cfengine to automatically configure the hosts.

This package is used for all configuration that is impossible to do
using debconf answers during first time install.  Configuration
changes, replacement config files and extra files to install in a
Skolelinux installation belong to this package.

All the configuration done in this package should in principle be
possible to do using debconf answers.  We should strive to get patches
into the Debian packages or upstream source, to reduce the need for
Skolelinux specific configuration.

Adding / replacing config files
-------------------------------

If we want to install (add) a file which is not included in another
Debian package, the file should be installed as a normal file in the
Debian package.  This is only useful if the file can be safely
installed for all profiles.

If the file already exist in another package, we should try to use
cfengine edit commands to modify the existing file.  If the changes
are massive, it will be more sensible to replace the existing file
with out of our files, and only in this case should we use the
masterfiles to copy an replacement file on top of the existing
configuration file.

Source overview
---------------

  cf3/		  - the cfengine configuration files, installed into
		    /etc/cfengine3/debian-edu
  etc/...         - New files installed into /etc/...
  bin/            - New files installed into /usr/bin/
  share/...       - New files installed into /usr/share/...

Contact Petter Reinholdtsen <pere@hungry.com> if you have questions.

What is configured
==================

This is a high-level description on the configuration changes done by
this package, including the files related to che configuration change.

DNS server (bind)
------------------

  Preconfigured DNS zone .intern with DNS names for services used by
  debian-edu.  Also includes the DHCP distributed IP addressess used.
  The address range is separated into groups.
 
  https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture
  includes a list of services that are set up by default in a Skolelinux 
  network, please update it when you add new services.

  Where possible the DNS name correspond to the service name in /etc/services, 
  where this is not possible the common name of the service is used as the DNS
  name. All configuration files will, if possible, refer to the service by name
  (without the domain name) thus making it easy for schools to change either 
  their domain (if they have an own DNS domain), or the IP addresses they use.

DHCP server (dhcp)
-------------------

  Contains info on the IP range and DNS server used on the network,
  and what to hand out to the clients.  Also contain LTSP
  configuration options.

syslog (rsyslog)
----------------

  The main-server profile is configured as a syslog message collector,
  and all clients (workstation and ltsp-server) is configured
  to send all syslog messages to the host behind the DNS name syslog.

NTP clients and server
----------------------

  The main-server profile is configured as a publicly available NTP
  server, and the workstation and ltsp-server profiles are
  configured as NTP clients using the host behind the DNS name ntp as
  their NTP server.

LDAP server (slapd)
-------------------

  Prepare it to work as NIS replacement for PAM, NSS and
  automount (autofs).  Also prepare it work as backend storage for
  Samba domain controller.
  Prepare it to contain gosa and sudoers default configuration.


NFS server (nfs-kernel-server)
------------------------------

HTTP proxy (squid)
------------------

SMB domain controller and file server (samba)
---------------------------------------------

  Samba server is configured as workgroup 'skolelinux' and ldap-based
  authentication. Printing is configured with cups, and an automatic 
  drive mapping is set for a connected user on its home at h:\ 
  The samba server act as a domain controller and wins (windows name 
  service) server.
  Samba client workstations are using tjener as their auth server,wins
  and domain controller. Their netbios name is automatically set.
  Roaming profiles are on by default, but the profiles are not separated
  from the homes data into specific directories for each Windows 
  -Version like Win2K or WinXP.


SMTP and IMAP post office (exim and dovecot)
---------------------------------------------

  Dovecot imap server is configured and can be accessed using kerberos 
  ticket/gssapi.

  Exim is configured as a simple local mail relay on workstations and 
  as a server for local users on servers. Local users are searched in
  the ldap database using exim ldap module.

X terminal server solution (LTSP)
---------------------------------

Printer system (CUPS)
---------------------

  Configure CUPS to work out of the box.  Disable non-encrypted access
  for all hosts except localhost.

    cf3/cf.cups
    etc/cups/cupsd-debian-edu.conf

HTTP server (apache2)
--------------------

  For now, Apache configuration is only tuned to know user homepage
  are on /skole/tjener/home*/*/public_html (see cf3/cf.apache2)


KDE client config
-----------------

SSH (openssh)
-------------

inetd
-----

  Disable unused network services (discard, daytime, time) on all
  hosts, and diable SMTP listening on all client machines.
    cf3/cf.inetd

Design choices
==============

Local device access
-------------------
  Petter Reinholdtsen, 2006-10-17

  The local user should have access to some of the local devices
  (sound, cdrom, etc) after logging in on the console or via
  gdm/xdm/etc, but not when logging in from remote via ssh.  There
  are as far as I know two ways to make this happen.  One way is to
  add the local user to the groups needed to access these devices, the
  other is to change the permissions on these devices to give access
  to the local user.  The former is done using pam_group, while the
  latter is done using pam_devperm.  Both have advantages and
  weaknesses.

  pam_group
  ---------

  By updating /etc/pam.d/common-auth and /etc/security/group.conf it is
  possible to add the logged in user to the grous needed (audio,
  floppy, cdrom, plugdev, video).  In addition to getting access to
  the devices present during login, it also make sure hotplugged
  devices like USB sticks work (group membership in plugdev take care
  of this).

  The problem with this method is that every member of the groups in
  question can create a setgid program to gain access to the devices
  also when not logged into the machine.  This will make it possible
  to record from the microphone, read and from the floppy, cdrom and
  usb stick, as well as play unwanted sound on other users computers.
  It is also possible to start long-running processes in the
  background to keep the access privileges to the devices in question.

  There are some problems with this apporach with kde 3.5, as it
  switched from using pmount (which work) to using hal callouts which
  do not.  More info on bug #377689.

--- /etc/pam.d/common-auth.orig 2006-10-17 11:25:40.000000000 +0000
+++ /etc/pam.d/common-auth      2006-10-17 11:25:29.000000000 +0000
@@ -7,4 +7,5 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
+auth   optional        pam_group.so
 auth   required        pam_unix.so nullok_secure
--- /etc/security/group.conf.orig       2006-10-17 11:27:32.000000000 +0000
+++ /etc/security/group.conf    2006-10-17 11:31:43.000000000 +0000
@@ -55,6 +55,8 @@
 #xsh; tty* ;*;Al0900-1800;floppy


+*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video
+*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video

 #
 # End of group.conf file

  pam_devperm
  -----------

  By installing libpam-devperm and updating /etc/pam.d/common-sessionn
  (and /etc/logindevperm to fix bug #393661 and get access to
  /dev/dsp), it is possible to modify the permissions of relevant
  devices when a user log in, and reset the permissions when the user
  log out.  The user of the device is changed to the logged in user,
  and the mode is normally set to 0600 granting exclusive access.

  The problem with this method is that hotplug devices do not work, as
  they are not available when the user is logged in, and the device
  ownership is only modified when the user log in.  Another problem is
  that the user can keep the access privileges for the devices after
  he log out by starting long-running processes in the background.

--- /etc/pam.d/common-session.orig      2006-10-17 11:23:21.000000000 +0000
+++ /etc/pam.d/common-session   2006-10-17 10:42:08.000000000 +0000
@@ -7,3 +7,4 @@
 # non-interactive).  The default is pam_unix.
 #
 session        required        pam_unix.so
+session        required        pam_devperm.so
--- /etc/logindevperm.orig   2006-10-17 10:51:58.000000000 +0000
+++ /etc/logindevperm   2006-10-17 10:53:08.000000000 +0000
@@ -24,7 +24,7 @@
 :0 0600 /dev/cdrecorder:/dev/cdrecorder1:/dev/cdrecorder2:/dev/cdrecorder3
 :0 0600 /dev/dvd:/dev/dvd1:/dev/dvd2:/dev/dvd3
 :0 0600 /dev/zip:/dev/zip1:/dev/zip2:/dev/zip3
-:0 0600 /dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
+:0 0600 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
 :0 0600 /dev/fd0:/dev/fd0u1440:/dev/fd0h1440:/dev/fd0u720:/dev/fd0h720
 :0 0600 /dev/fd1:/dev/fd1u1440:/dev/fd1h1440:/dev/fd1u720:/dev/fd1h720
 :0 0600 /dev/sequencer:/dev/sequencer2:/dev/music

  Conclusion
  ----------

  I recommend using the pam_group mechanism to get a working hotplug
  support, and recommend solving the setgid-issue by adding the nosuid
  mount flag to the partitions where users can add files (/home/,
  /tmp/, /dev/shm/, /var/lock/), and solving the problem with
  long-running processes by running some kind of idle-job killer to
  kill long-running processes.



Ideas for LDAP based client configuration, reducing the amount of
configuration stored on clients.
=================================================================

The basic idea is to let the clients derive all the information they
need by starting with the DHCP reply and continue from there.  At the
moment, clients have LDAP tree information hardcoded.  This can be
fetched dynamically from the LDAP server, if the LDAP server can be
located.  The LDAP server can be found using the same mechanism used
by MS AD, by adding the _ldap._tcp SRV records, or just using our
'ldap' DNS alias as before.

 - use _ldap._tcp SRV record to find LDAP server
 - use ldap "root" object to find LDAP tree info (like AD
   defaultNamingContext attribute)
    "ldapsearch -x -s base -h $server -b '' -x '*'"
 - subnet three with relevant information?  AD have subtree
     "CN=Subnets,CN=Sites,CN=Configuration,$base" with objectClass=subnet
     objects.
   - like printers to use?
   - like proxy setting?
   - like browser home page?
 - proxy configuration using WPAD provided by DHCP or from LDAP?
   "Web Access ProtocolDiscovery" (WAPD).
 - browser home page provided from LDAP for the host and/or user
 - LDAP populated using sitesummary information
   - for host group membership
   - for dhcp mac address binding
   - for dns names
   - LTSP configuration?

Can the browser fetch configuration from LDAP?

An alternative is to use the avahi service announcement mechanism.