Makefile

@@ -343,6 +343,7 @@ install: install-testsuite
 		share/debian-edu-config/tools/install-task-pkgs \
 		share/debian-edu-config/ltspfs-mounter-kde \
 		share/debian-edu-config/squid.resolvconf \
+		share/firefox-esr/distribution/policies.json \
 		share/ltsp/get-ldap-ltsp-config \
 		share/initramfs-tools/scripts/nfs-bottom/before-ltsp \
 	; do \
@@ -376,9 +377,6 @@ install: install-testsuite
 		share/debian-edu-config/sslCA.cnf \
 		share/debian-edu-config/v3.cnf \
 		share/debian-edu-config/v3CA.cnf \
-		share/debian-edu-config/installs.ini \
-		share/debian-edu-config/profiles.ini \
-		share/debian-edu-config/profiles.ini.ff \
 		share/debian-edu-config/debian-edu.addmachine.template \
 		share/debian-edu-config/debian-edu.ldapscripts.passwd \
 		share/debian-edu-config/passwords_stub.dat \

debian/changelog

+debian-edu-config (2.11.9) UNRELEASED; urgency=medium
+
+  * share/debian-edu-config/tools/kerberos-kdc-init:
+    - Update kdc.conf content from template shipped with the krb5-kdc package.
+      This fixes the recently broken Kerberos setup.
+  * Replace ugly workaround for rootCA certificate integration (both firefox-esr
+    and thunderbird as of version 68.2.0esr) with a $home independent setup:
+    - Add policy file share/firefox-esr/distribution/policies.json.
+      This makes sure that the Debian-Edu_rootCA.crt file gets installed as
+      trusted certificate for firefox-esr and thunderbird.
+      The policy also forces the Debian Edu startpage to be shown (instead of
+      the Firefox one) at first launch; the Firefox privacy page is available
+      via a second tab.
+    - Drop share/debian-edu-config/{installs.ini,profiles.ini,profiles.ini.ff}.
+      These files are no longer required.
+    - Adjust related tools:
+      + share/debian-edu-config/tools/gosa-create
+      + share/debian-edu-config/tools/create-user-nssdb
+      + share/debian-edu-config/tools/update-cert-dbs
+      + ldap-tools/ldap-debian-edu-install
+    - Adjust Makefile.
+
+ -- Wolfgang Schweer <wschweer@arcor.de>  Fri, 08 Nov 2019 19:50:17 +0100
+
 debian-edu-config (2.11.8) unstable; urgency=medium
 
   [ Wolfgang Schweer ]

ldap-tools/ldap-debian-edu-install

@@ -523,21 +523,12 @@ if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
   service slapd start
 fi
 
-# Create both dbm and sql nssdb files for first user.
+# Create PKI nssdb files for first user.
 if [ -x /usr/bin/certutil ] ; then
-  mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
-  chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default
-  cp /usr/share/debian-edu-config/profiles.ini.ff /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/profiles.ini
-  cp /usr/share/debian-edu-config/installs.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/installs.ini
-  mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
-  chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default
-  cp /usr/share/debian-edu-config/profiles.ini /skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird
   mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
   chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
-  certutil  -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-  certutil  -A -d dbm:/skole/tjener/home0/"$FIRSTUSERNAME"/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
   certutil  -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
   chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
-  echo "info: created dbm and sql nssdb files for first-user"
+  echo "info: created PKI nssdb files for first-user"
 fi
 

share/debian-edu-config/installs.ini

-[3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-

share/debian-edu-config/profiles.ini

-[General]
-StartWithLastProfile=1
-
-[Profile0]
-Name=default
-IsRelative=1
-Path=debian-edu.default

share/debian-edu-config/profiles.ini.ff

-[Profile0]
-Name=debian-edu
-IsRelative=1
-Path=debian-edu.default
-
-[General]
-StartWithLastProfile=1
-Version=2
-
-[Install3B6073811A6ABF12]
-Default=debian-edu.default
-Locked=1
-

share/debian-edu-config/tools/create-user-nssdb

@@ -2,29 +2,24 @@
 
 set -e
 
-BASE_HOME=/skole/tjener/home0
-for i in $(ls /skole/tjener/home0/ | grep -v lost+found) ; do
-    if [ -d $BASE_HOME/$i/.mozilla/firefox/debian-edu.default ] ; then
-        su - $i sh -c 'certutil  -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
-    if [ -d $BASE_HOME/$i/.thunderbird/debian-edu.default ] ; then
-        su - $i sh -c 'certutil  -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    else
-        mkdir -p $BASE_HOME/$i/.thunderbird/debian-edu.default
-        chmod -R 700 $BASE_HOME/$i/.thunderbird/debian-edu.default
-        chown -R $i:$i $BASE_HOME/$i/.thunderbird/debian-edu.default
-        cp /usr/share/debian-edu-config/profiles.ini $BASE_HOME/$i/.thunderbird
-        certutil  -A -d dbm:$BASE_HOME/$i/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-    fi
-    if [ -d $BASE_HOME/$i/.pki/nssdb ] ; then
-        su - $i sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
+BASE_HOME=/skole/tjener
+for dir in "$BASE_HOME"/*/*; do
+    # Skip if not a directory
+    test -d "$dir" || continue
+
+    # Extract username and check existence
+    username=${dir##*/}
+    id "$username" >/dev/null 2>&1 || continue
+
+    if [ -d "$dir/.pki/nssdb" ] ; then
+        su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
     else
-        mkdir -p $BASE_HOME/$i/.pki/nssdb
-        chmod -R 700 $BASE_HOME/$i/.pki/nssdb
-        chown -R $i:$i $BASE_HOME/$i/.pki/nssdb
-        certutil  -A -d sql:$BASE_HOME/$i/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
+        mkdir -p $dir/.pki/nssdb
+        chmod -R 700 $dir/.pki/nssdb
+        chown -R $i:$i $dir/.pki/nssdb
+        certutil  -A -d sql:$dir/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
     fi
-    logger -t create-user-nssdb -p notice Both dbm and sql nssdb files created in \'$BASE_HOME/$i\'.
+    logger -t create-user-nssdb -p notice PKI nssdb files created in $dir.
 done
 
 exit 0

share/debian-edu-config/tools/gosa-create

@@ -38,19 +38,10 @@ while read KEY VALUE ; do
                 nscd -i passwd || true
                 nscd -i group || true
             fi
-            mkdir -p $HOMEDIR/.mozilla/firefox/debian-edu.default
-            chmod -R 700 $HOMEDIR/.mozilla/firefox/debian-edu.default
-            mkdir -p $HOMEDIR/.thunderbird/debian-edu.default
-            chmod -R 700 $HOMEDIR/.thunderbird/debian-edu.default
             mkdir -p $HOMEDIR/.pki/nssdb
             chmod -R 700 $HOMEDIR/.pki/nssdb
-            cp /usr/share/debian-edu-config/profiles.ini.ff $HOMEDIR/.mozilla/firefox/profiles.ini
-            cp /usr/share/debian-edu-config/installs.ini $HOMEDIR/.mozilla/firefox/installs.ini
-            cp /usr/share/debian-edu-config/profiles.ini $HOMEDIR/.thunderbird
-            certutil  -A -d dbm:$HOMEDIR/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-            certutil  -A -d dbm:$HOMEDIR/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
             certutil  -A -d sql:$HOMEDIR/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-            logger -t gosa-create -p notice Both dbm and sql nssdb files created in \'$HOMEDIR\'.
+            logger -t gosa-create -p notice PKI nssdb files created in \'$HOMEDIR\'.
             chown -R $USERID:$GROUPID $HOMEDIR
             kadmin.local -q "add_principal -policy users -randkey -x \"$USERDN\" $USERID"
             logger -t gosa-create -p notice Home directory \'$HOMEDIR\' and principal \'$USERID\' created.

share/debian-edu-config/tools/kerberos-kdc-init

@@ -121,13 +121,7 @@ mit_kerberos() {
     fi
     cat > /etc/krb5.conf <<EOF
 [libdefaults]
-        ## FIXME: setting enctypes still needed due to #521878#24
-#       allow_weak_crypto = true
-        permitted_enctypes = des-cbc-crc rc4-hmac des3-cbc-sha1-kd aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
         default_realm = INTERN
-# Should probably use this in [libdefaults] to look up servers in DNS:
-#        dns_lookup_realm = false
-#        dns_lookup_kdc = true
 
 [realms]
         INTERN = {
@@ -172,6 +166,7 @@ mit_kerberos_kdc() {
 
 [realms]
     INTERN = {
+        database_name = /var/lib/krb5kdc/principal
         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
         acl_file = /etc/krb5kdc/kadm5.acl
         key_stash_file = $STASHFILE
@@ -179,7 +174,6 @@ mit_kerberos_kdc() {
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
         master_key_type = des3-hmac-sha1
-        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
         default_principal_flags = +preauth
     }
 EOF

share/debian-edu-config/tools/update-cert-dbs

 #!/bin/bash
 #
-# Update both dbm (old style) and sql type nssdb files in users' homedirs.
+# Update PKI nssdb files in users' homedirs.
 #
 
 set -e
@@ -12,18 +12,10 @@ for dir in "$BASE_HOME"/*/*; do
 
     # Extract username and check existence
     username=${dir##*/}
-    id "$username" >/dev/null || continue
+    id "$username" >/dev/null 2>&1 || continue
 
-    if [ -d "$dir/.mozilla/firefox/debian-edu.default" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-        su - $username sh -c 'certutil  -A -d dbm:$HOME/.mozilla/firefox/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
-    if [ -d "$dir/.thunderbird/debian-edu.default" ] ; then
-        su - $username sh -c 'certutil  -A -d sql:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-        su - $username sh -c 'certutil  -A -d dbm:$HOME/.thunderbird/debian-edu.default/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
-    fi
     if [ -d "$dir/.pki/nssdb" ] ; then
         su - $username sh -c 'certutil  -A -d sql:$HOME/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt'
     fi
-    logger -t update-cert-dbs "Updated nssdb files for user $username in $dir"
+    logger -t update-cert-dbs "Updated PKI nssdb files for user $username in $dir"
 done

share/firefox-esr/distribution/policies.json

+{
+  "policies": {
+    "Certificates": {
+      "ImportEnterpriseRoots": true,
+      "Install": [
+        "/etc/ssl/certs/Debian-Edu_rootCA.crt"
+      ]
+    },
+    "NewTabPage": false,
+    "OverrideFirstRunPage": ""
+  }
+}
\ No newline at end of file