<div dir="ltr"><div><div><div><div><div><div><div><br></div>Hello List<br></div>Hi Andreas<br><br></div>I'm working on the update of debian-lan version 0.12<br></div>The release that I installed was the one available around end of April.<br>
<br></div>The recommendation you gave earlier were already helpful. Some scripts are already slightly modified to include a "DLUpdate=true" environment variable to allow executing fai -Nv softupdate correctly.<br>
</div>This currently concerns the following files<br><br>fai/config/scripts/LDAP_CLIENT/10-ldap.conf<br>fai/config/scripts/LDAP_CLIENT/20-nslcd.conf<br>fai/config/scripts/DNS_SERVER/10-zones<br>fai/config/scripts/FAISERVER/10-config<br>
fai/config/scripts/FAISERVER/40-dhcp<br><br>and also<br>fai/config/files/etc/rc.local/FAISERVER<br></div>to allow the rebuild of /srv/nfsroot and /opt/live/<br><div><br><div>Though, during the update process I'm facing an issue with Kerberos, slapd and nslcd, which I still can't correctly identify.<br>
</div><div>This translate into the fact that the session is opened and directly closed on the workstation.<br></div><div>The krb5.keytab of the workstation was correctly transfered. However it seems to remain an inconsistency in Kerberos.<br>
</div><div>I still have to test the fix for fai/config/scripts/DNS_SERVER/10-zones in the logs hereafter (which might be the cause of the problem, indeed)<br><br></div><div>from kdc.log<br>Jul 12 16:06:14 mainserver krb5kdc[2847](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed<br>
<br></div><div>from daemon.log<br>Jul 12 16:04:55 mainserver nslcd[2904]: [52255a] <passwd="nfs/workstation00.intern"> request denied by validnames option<br>Jul 12 16:04:55 workstation00 rpc.idmapd[1564]: nss_getpwnam: name 'nobody' does not map into domain 'intern'<br>
Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001> ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error code)<br>Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001> failed to bind to LDAP server ldap://ldap: Connect error: (unknown error code)<br>
Jul 12 16:04:55 mainserver nslcd[2904]: [9cf92e] <passwd=10001> no available LDAP server found: Connect error<br>Jul 12 16:04:55 mainserver nslcd[2904]: [ed7263] <group=10001> no available LDAP server found: Server is unavailable<br>
Jul 12 16:04:55 mainserver nslcd[2904]: [dcc233] <passwd="thome"> no available LDAP server found: Server is unavailable<br>Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR: Cannot determine realm for numeric host address while getting realm(s) for host '10.0.1.100'<br>
Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host 10.0.1.100<br>Jul 12 16:04:55 mainserver rpc.gssd[1856]: ERROR: No credentials found for connection to server 10.0.1.100<br>
Jul 12 16:04:56 workstation00 acpid: client 2349[0:0] has disconnected<br>Jul 12 16:04:56 workstation00 acpid: client connected from 2957[0:0]<br>Jul 12 16:04:56 workstation00 acpid: 1 client rule loaded<br>Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error code)<br>
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> failed to bind to LDAP server ldap://ldap: Connect error: (unknown error code)<br>Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> no available LDAP server found: Connect error<br>
Jul 12 16:05:58 mainserver nslcd[2904]: [efd79f] <group/member="munin"> no available LDAP server found: Server is unavailable<br>Jul 12 16:07:16 mainserver named[2260]: dumping master file: /etc/bind/tmp-chk8P8Qjz0: open: permission denied<br>
Jul 12 16:08:34 workstation00 nslcd[2461]: [3c9869] <passwd="thome"> (re)loading /etc/nsswitch.conf<br>Jul 12 16:08:58 mainserver named[2260]: dumping master file: /etc/bind/tmp-nNiyCzorJU: open: permission denied<br>
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap"> ldap_start_tls_s() failed (uri=ldap://ldap): Connect error: (unknown error code)<br>Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap"> failed to bind to LDAP server ldap://ldap: Connect error: (unknown error code)<br>
Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap"> no available LDAP server found: Connect error<br>Jul 12 16:14:27 mainserver nslcd[2904]: [a7c4c9] <group/member="openldap"> no available LDAP server found: Server is unavailable<br>
<br></div><div>Thereby, since there is a change in slapd certificates location, there was an issue with TLS wich is mostly fixed (within ldap.conf, slapd.conf and nslcd.conf.)<br></div><div>I can successfully execute the following command (as root and without kerberos ticket)<br>
ldapsearch -x -b "dc=intern" -H 'ldap://ldap/' -ZZ<br></div><div>but I can't do a kinit for root. This results in :<br>root@mainserver:/var/log# kinit<br>Password for root@INTERN: <br>kinit: Password incorrect while getting initial credentials<br>
<br></div><div>Any hint would be greatly appreciated.<br><br><br></div><div>On the other side of the force :)<br></div><div>If we look at the above, updating from one release to another is not an easy process.<br></div><div>
Could we consider to put a "debian-lan.release" containing the release tag in /etc in order to ease the updates. This file could then be tested by the scripts for the necessary updates.<br></div><div>I suppose there should be a good way to use some git features to create patches or simply add checks in the scripts. I'm a beginner on the git part, so any advise is welcome.<br>
</div><div><span id="result_box" class="" lang="en"><span class="">What would be</span> <span class="">your</span> <span class="">preference?</span></span></div><div>How can I provide you with the corrections I already implemented within my git repo.<br>
</div><div>In a clue: <br></div><div>I made a copy of my current install's configuration, created a repository (say: DLCustomer)<br></div><div>I cloned the current branch in another repository (say: debian-lan) and compared the first one with this one<br>
</div><div>Then, all changes have been made in a branch DLCustomer/DLupdates.<br></div><div><br></div><div><br></div><div>For the record:<br></div><div>The files that were changed between the two releases are:<br>
fai/config/class/50-host-classes<br>fai/config/class/CLIENT_A.var<br>fai/config/class/DEBIAN.var<br>fai/config/class/FAIBASE.var<br>fai/config/class/ROAMING.var<br>fai/config/class/SERVER_A.var<br>fai/config/disk_config/ROAMING<br>
fai/config/files/etc/apt/sources.list/CLIENT_A<br>fai/config/files/etc/apt/sources.list/SERVER_A<br>fai/config/files/etc/fai/apt/sources.list/SERVER_A<br>fai/config/files/etc/fai/nfsroot.conf/SERVER_A<br>fai/config/files/etc/ldap/autofs.ldif/SERVER_A<br>
fai/config/files/etc/ldap/slapd.conf/GOSA<br>fai/config/files/etc/ldap/slapd.conf/SERVER_A<br>fai/config/files/etc/ldap/ssl/slapd-cert.cnf/SERVER_A<br>fai/config/files/etc/rc.local/FAISERVER<br>fai/config/files/etc/sssd/sssd.conf/ROAMING<br>
fai/config/files/usr/local/sbin/add2gosa/GOSA<br>fai/config/files/usr/local/sbin/debian-lan/SERVER_A<br>fai/config/files/usr/local/sbin/dhcpd-keytab/SERVER_A<br>fai/config/files/usr/share/libpam-script/pam_script_auth/DISKLESS_CLIENT<br>
fai/config/files/usr/share/libpam-script/pam_script_auth/ROAMING<br>fai/config/files/var/www/index.html/GOSA<br>fai/config/hooks/install.DEFAULT.source<br>fai/config/hooks/savelog.LAST.source<br>fai/config/package_config/CLIENT_A<br>
fai/config/package_config/DEBIAN<br>fai/config/package_config/DESKTOP<br>fai/config/package_config/EDU<br>fai/config/package_config/FIREWALL<br>fai/config/package_config/GERMAN<br>fai/config/package_config/ROAMING<br>fai/config/scripts/CLIENT_A/20-misc<br>
fai/config/scripts/DISKLESS_CLIENT/30-nfs4_krb5<br>fai/config/scripts/DNS_SERVER/10-zones<br>fai/config/scripts/FAIBASE/20-removable_media<br>fai/config/scripts/FAISERVER/10-config<br>fai/config/scripts/FAISERVER/20-configspace<br>
fai/config/scripts/FAISERVER/40-dhcp<br>fai/config/scripts/FIREWALL/10-config<br>fai/config/scripts/LDAP_CLIENT/10-ldap.conf<br>fai/config/scripts/LDAP_CLIENT/20-nslcd.conf<br>fai/config/scripts/LDAP_CLIENT/30-certificate<br>
fai/config/scripts/LDAP_SERVER/10-mkslapdcert<br>fai/config/scripts/MAIL_SERVER/30-certs<br>fai/config/scripts/NFS_SERVER/10-config<br>fai/config/scripts/NTP_SERVER/10-ntp.conf<br>fai/config/scripts/PROXY/10-config<br>fai/config/scripts/ROAMING/10-home_nfs4_krb5<br>
fai/config/scripts/ROAMING/20-sssd_fstab<br>fai/config/scripts/SERVER_A/10-misc<br>fai/config/scripts/SERVER_A/30-forwarding<br>fai/config/scripts/SERVER_A/50-apache<br>fai/config/scripts/SERVER_A/60-APTrepo_server<br>fai/config/scripts/SERVER_A/65-APTrepo_client<br>
<br></div><div class="gmail_extra"><br></div></div></div>