<div dir="ltr"><div><div><br></div>Follow-up on the installation report and answer to Andi's remarks :)<br><br></div>It was quite a busy week, mainly due to the "performances" issues and a stubborn printer.<br>
<div><div><br><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">
> The only major one is network performances. This is not directly bound to<br>
> debian-lan, but it's architecture makes it highly network dependent.<br>
> With a poor-man's network (100mb), old cables, old computers, the overall<br>
> reactivity of the desktop is quickly impacted. There are high variation of<br>
> reactivity and the cause is not yet identified. I just can say that it's<br>
> not the server which is nearly idle.<br>
> Tomorrow, I will be able to check if it's better since the installation of<br>
> some non-free network firmwares. Some tcpdump might help locate the cause.<br></div></blockquote><div><br></div><div>The non-free firmwares (e.g.: firmware-realtek) and those like firmware-linux (firmware-linux-nonfree) can improve some performances issues.<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">
<br>
</div>This is interesting, and we should definitely find out the reason for such<br>
bad performance. Can you give some more information about the setup,<br>
i.e. how many workstations, diskless machines you have running? Are<br>
gateway and server on different machines or do you use the setup where<br>
the mainserver acts as gateway?<br></blockquote><div><br></div><div>Thus,<br></div><div>Bad performances were due to .... tadaaaam.... the tremendous amount of emails stored in users inboxes (some of them had around 20K mails) which made icedove react sluggishly and glued the whole desktop environment in the concerned setup.<br>
</div><div>The network needed a big cleanup and some new cables improved the responsiveness even with a 100Mb switch.<br></div><div><br></div><div>The server is actually the gateway, there are 8 linux workstations and 4 winstations. I left the diskless one temporarily because the startup blocked and I had no time to investigate (+ the issue with LOGUSER which I will be able to solve with Andi's suggestion). I supposed it's related to some drivers.<br>
</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im"><br>
> On the minor ones:<br>
> - when I create the LOGUSER for fai, I'm requested to input Kerberos<br>
> credential, which I don't have. Seems that local users need to be created<br>
> before debian-lan installation. Otherwise, these users need to be within<br>
> ldap. I searched a bit but didn't found the best solution to apply.<br>
<br>
</div>Hm, indeed, creating a local user doesn't work as usual, just tested<br>
it myself here. You can create the account ignoring the kerberos<br>
password and modify it later:<br>
<br>
Create a password hash with "mkpasswd", and then use<br>
<br>
usermod -p YnxZ6TRKNzBLs test<br>
<br>
to update /etc/shadow. But I agree, this is not perfect. I guess PAM<br>
is responsible for mixing in Kerberos ...<br></blockquote><div><br></div><div>OK, Thanks for the tips.<br></div><div>I saw some info about the problem with pam. I will check that again in the lab.<br></div><div>Do we have any task/bug tracking we can use to manage such issues or do we use debian's bug tracking?<br>
</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im"><br>
> - one failure with a disk-less client (not yet investigated)<br></div></blockquote><div>abandoned issue<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">
> - one failure with a workstation where grub was not successfully installed<br>
> (not yet investigated)<br></div></blockquote><div>suddenly worked<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">
> - some packages need to be added for French environment (this will be<br>
> included in a separate config file)<br>
<br>
</div>Oh yes, please add a class like FRENCH or the like ...<br></blockquote><div>This will follow as a FR-Belgian class.<br></div><div>+ this needs a modification of /etc/default/keyboard because we use CapsLock a lot.<br>
</div><div>I had to remove<br>XKBOPTIONS="xorg ctrl:nocaps"<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im"><br>
> - shorewall needs a bunch of rules to make the whole thing work. This will<br>
> be posted too and included in a config file.<br>
<br>
</div>Very good idea to include shorewall!<br></blockquote><div><br></div><div>This will follow (two_interfaces setup + openvpn) <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im"><br>
> - Squid was bypassed. This might need a configuration change to support<br>
> TPROXY and work along with shorewall. Testing tomorrow.<br></div></blockquote><div><br></div><div>No time to test TPROXY yet (required some more configuration). Though users are blocked by the proxy. <br>Isn't this rule blocking ?<br>
# Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">
> - installation of flashplugin-nonfree needs a bypass for the proxy. This<br>
> will be tested tomorrow following information from <a href="http://wiki.debian.org" target="_blank">wiki.debian.org</a>.<br></div></blockquote><div>To do<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">
> - printing issues related to the network printer. Might need lsb-printing<br>
> package to support the provided drivers.<br></div></blockquote><div>Not DL related. Printer needs a firmware update before anything else.<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
> - adding samba machines, not yet ok. But disk and printer sharing is OK. <br></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="im">
> - need a read-only user into ldap for some authentication needs like<br>
> printer connection, authentication from windows (home edition) with<br>
> pgina,...<br>
> - added support for openvpn but this should be better integrated into ldap.<br>
> - added fail2ban, just in case. I'll latter improve the shorewall config.<br>
> - I added a dirvish config for backups upon insertion of an external<br>
> usb-hdd. If someone needs it, I will post.<br>
<br>
</div>That sounds pretty interesting, if you don't mind, please post it or<br>
add it to the wiki.<br>
<div class="im"><br></div></blockquote><div>I will post it.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">
> - baddly need the educlient/eduroaming packages. This is my next target for<br>
> the coming days.<br>
<br>
</div>There was/is a discussion about the roaming workstations on the<br>
debian-edu list:<br>
<a href="https://lists.debian.org/debian-edu/2013/04/msg00192.html" target="_blank">https://lists.debian.org/debian-edu/2013/04/msg00192.html</a><br>
<br>
Perhaps we can learn from them ...<br>
<div class="im"><br>
> And, for my own education. I didn't tested the password expiration yet.<br>
> What should happen when password is about to expire (provided the warning<br>
> is enabled in Gosa) and is the user able to change it form its workstation<br>
> or needs to connect onto Gosa?<br>
<br>
</div>I fear that this does not work. All login passwords used are kept in the<br>
Kerberos KDC, and the password in GOsa is only used to log into the<br>
GOsa web page. If a password is changed there, Kerberos is<br>
synchronized by the gosa-sync script. If you change a password with<br>
kpasswd, the LDAP password used by GOsa is not modified, i.e. you have<br>
to login into GOsa with the old one. This is by far not perfect, but<br>
unfortunately that's the state of GOsa.<br>
<br>
<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698544" target="_blank">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698544</a><br>
<div class="im"><br></div></blockquote><div>Some times I wonder if we coulnd't try a fork with a simple openldap with phpldapadmin?<br></div><div>Just for the sake of simplicity.<br></div><div>I will try that when time will permit.<br>
</div><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">
> All in all, this was quite a success!<br>
<br>
</div>Yes, I am pretty happy that things work for you, and you already added<br>
quite some interesting stuff which might be interesting to include<br>
"upstream".<br>
<br>
Many thanks for reporting and keep us up to date! <br></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Best regards,<br>
<br>
Andi<br></blockquote><div><br><br></div><div>Thanks for your interest Andi. Glad to help<br></div></div><br></div><div class="gmail_extra">Julien<br></div></div></div></div></div>