Skolelinux autoconfig system
============================

Uses cfengine to automatically configure the hosts.

This package is used for all configuration that is impossible to do
using debconf answers during first time install.  Configuration
changes, replacement config files and extra files to install in a
Skolelinux installation belong to this package.

All the configuration done in this package should in principle be
possible to do using debconf answers.  We should strive to get patches
into the Debian packages or upstream source, to reduce the need for
Skolelinux specific configuration.

Adding / replacing config files
-------------------------------

If we want to install (add) a file which is not included in another
Debian package, the file should be installed as a normal file in the
Debian package.  This is only useful if the file can be safely
installed for all profiles.

If the file already exist in another package, we should try to use
cfengine edit commands to modify the existing file.  If the changes
are massive, it will be more sensible to replace the existing file
with out of our files, and only in this case should we use the
masterfiles to copy an replacement file on top of the existing
configuration file.

To debug the variable expantion, cfengine-debian-edu -d3 2>&1 |less' can be used.

Source overview
---------------

  cf/		  - the cfengine configuration files, installed into
		    /etc/cfengine/debian-edu
  cf/masterfiles/ - Replacement config files copied into place using
		    cfengine.  Use this if the file already exist in
		    another Debian package.
  etc/...         - New files installed into /etc/...
  bin/            - New files installed into /usr/bin/
  share/...       - New files installed into /usr/share/...

Contact Petter Reinholdtsen <pere@hungry.com> if you have questions.

What is configured
==================

This is a high-level description on the configuration changes done by
this package, including the files related to che configuration change.

DNS server (bind9)
------------------

  Preconfigured DNS zone .intern with DNS names for services used by
  debian-edu.  Also includes the DHCP distributed IP addressess used.
  The address range is separated into groups.

DHCP server (dhcp3)
-------------------

  Contains info on the IP range and DNS server used on the network,
  and what to hand out to the clients.  Also contain LTSP
  configuration options.

syslog (rsyslog)
----------------

  The main-server profile is configured as a syslog message collector,
  and all clients (workstation and thin-client-server) is configured
  to send all syslog messages to the host behind the DNS name syslog.

NTP clients and server
----------------------

  The main-server profile is configured as a publicly available NTP
  server, and the workstation and thin-client-server profiles are
  configured as NTP clients using the host behind the DNS name ntp as
  their NTP server.

LDAP server (slapd)
-------------------

  Prepare it to work as NIS replacement for PAM, NSS and
  automount (autofs).  Also prepare it work as backend storage for
  Samba domain controller.

NFS server (nfs-kernel-server)
------------------------------

HTTP proxy (squid)
------------------

SMB domain controller and file server (samba)
---------------------------------------------

  Samba server is configured as workgroup 'skolelinux' and ldap-based
  authentication. Printing is configured with cups, and an automatic 
  drive mapping is set for a connected user on its home at h:\ 
  The samba server act as a domain controller and wins (windows name 
  service) server.
  Samba client workstations are using tjener as their auth server,wins
  and domain controller. Their netbios name is automatically set.

SMTP and IMAPS post office (exim and courier)
---------------------------------------------

  Courier imap server is configured with authldap module and ssl.
  The imap server is disables, only imaps (ssl imap protocol listening
  on port 993) is enabled so that password do not go unencrypted
  over the network.

  Exim is configured as a simple local mail relay on workstations and 
  as a server for local users on servers. Local users are searched in
  the ldap database using exim ldap module.

X terminal server solution (LTSP)
---------------------------------

Printer system (CUPS)
---------------------

  Configure CUPS to work out of the box.  Disable non-encrypted access
  for all hosts except localhost.

    cf/cf.cups
    etc/cups/cupsd-debian-edu.conf

HTTP server (apache2)
--------------------

  For now, Apache configuration is only tuned to know user homepage
  are on /skole/tjener/home*/*/public_html (see cf/cf.apache2)


KDE client config
-----------------
  1. share/debian-edu/common 
     -> settings common to all debian-edu profiles
       - Disable kpersonalizer startup on initial login.  
       - Disable warning dialog box presented when the sound card is missing. 
       - Configure printsystem to use cups
       - Enable javascript for konqueror
       - Accept cookies by default
       - Add mime-type for ms-word documents (*.doc;*.DOC;*.dot;*.DOT)
  2. share/debian-edu/networked-kd3 
     -> settings common to all networked profiles (everything but standalone)
       - Set proxy settings and force them using kiosk (kde 3 > specific)
  3. share/debian-edu/networked-kde2 
       - Set proxy settings and force them using kiosk (kde 3 > specific)
  4. share/debian-edu/thin-client
  	- enable esd sound on thin clients
  5. share/debian-edu/students
    -> eye candy and restrictions for members of the students group
    	- put some of the learning tools on the Desktop
	- create a standard k-panel
	- disable shell access, run-commands, new session starting, k-panel
	  configuration and accessing root programs via kde

SSH (openssh)
-------------

  Enable X11 forwarding by default.
    cf/cf.ssh
  A backdoor is also available if your ssh tcp port 22 cannot be joined
  from the Internet. You'll have to edit /etc/default/backdoor to enable
  this feature.

inetd
-----

  Disable unused network services (discard, daytime, time) on all
  hosts, and diable SMTP listening on all client machines.
    cf/cf.inetd

Design choices
==============

Local device access
-------------------
  Petter Reinholdtsen, 2006-10-17

  The local user should have access to some of the local devices
  (sound, cdrom, etc) after logging in on the console or via
  kdm/gdm/xdm/etc, but not when logging in from remote via ssh.  There
  are as far as I know two ways to make this happen.  One way is to
  add the local user to the groups needed to access these devices, the
  other is to change the permissions on these devices to give access
  to the local user.  The former is done using pam_group, while the
  latter is done using pam_devperm.  Both have advantages and
  weaknesses.

  pam_group
  ---------

  By updating /etc/pam.d/common-auth and /etc/security/group.conf it is
  possible to add the logged in user to the grous needed (audio,
  floppy, cdrom, plugdev, video).  In addition to getting access to
  the devices present during login, it also make sure hotplugged
  devices like USB sticks work (group membership in plugdev take care
  of this).

  The problem with this method is that every member of the groups in
  question can create a setgid program to gain access to the devices
  also when not logged into the machine.  This will make it possible
  to record from the microphone, read and from the floppy, cdrom and
  usb stick, as well as play unwanted sound on other users computers.
  It is also possible to start long-running processes in the
  background to keep the access privileges to the devices in question.

  There are some problems with this apporach with kde 3.5, as it
  switched from using pmount (which work) to using hal callouts which
  do not.  More info on bug #377689.

--- /etc/pam.d/common-auth.orig 2006-10-17 11:25:40.000000000 +0000
+++ /etc/pam.d/common-auth      2006-10-17 11:25:29.000000000 +0000
@@ -7,4 +7,5 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
+auth   optional        pam_group.so
 auth   required        pam_unix.so nullok_secure
--- /etc/security/group.conf.orig       2006-10-17 11:27:32.000000000 +0000
+++ /etc/security/group.conf    2006-10-17 11:31:43.000000000 +0000
@@ -55,6 +55,8 @@
 #xsh; tty* ;*;Al0900-1800;floppy


+*; tty*&!ttyp*; *; Al0000-2400; audio,cdrom,floppy,plugdev,video
+*; :0; *; Al0000-2400; audio,cdrom,floppy,plugdev,video

 #
 # End of group.conf file

  pam_devperm
  -----------

  By installing libpam-devperm and updating /etc/pam.d/common-sessionn
  (and /etc/logindevperm to fix bug #393661 and get access to
  /dev/dsp), it is possible to modify the permissions of relevant
  devices when a user log in, and reset the permissions when the user
  log out.  The user of the device is changed to the logged in user,
  and the mode is normally set to 0600 granting exclusive access.

  The problem with this method is that hotplug devices do not work, as
  they are not available when the user is logged in, and the device
  ownership is only modified when the user log in.  Another problem is
  that the user can keep the access privileges for the devices after
  he log out by starting long-running processes in the background.

--- /etc/pam.d/common-session.orig      2006-10-17 11:23:21.000000000 +0000
+++ /etc/pam.d/common-session   2006-10-17 10:42:08.000000000 +0000
@@ -7,3 +7,4 @@
 # non-interactive).  The default is pam_unix.
 #
 session        required        pam_unix.so
+session        required        pam_devperm.so
--- /etc/logindevperm.orig   2006-10-17 10:51:58.000000000 +0000
+++ /etc/logindevperm   2006-10-17 10:53:08.000000000 +0000
@@ -24,7 +24,7 @@
 :0 0600 /dev/cdrecorder:/dev/cdrecorder1:/dev/cdrecorder2:/dev/cdrecorder3
 :0 0600 /dev/dvd:/dev/dvd1:/dev/dvd2:/dev/dvd3
 :0 0600 /dev/zip:/dev/zip1:/dev/zip2:/dev/zip3
-:0 0600 /dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
+:0 0600 /dev/dsp:/dev/dsp0:/dev/dsp1:/dev/dsp2:/dev/dsp3
 :0 0600 /dev/fd0:/dev/fd0u1440:/dev/fd0h1440:/dev/fd0u720:/dev/fd0h720
 :0 0600 /dev/fd1:/dev/fd1u1440:/dev/fd1h1440:/dev/fd1u720:/dev/fd1h720
 :0 0600 /dev/sequencer:/dev/sequencer2:/dev/music

  Conclusion
  ----------

  I recommend using the pam_group mechanism to get a working hotplug
  support, and recommend solving the setgid-issue by adding the nosuid
  mount flag to the partitions where users can add files (/home/,
  /tmp/, /dev/shm/, /var/lock/), and solving the problem with
  long-running processes by running some kind of idle-job killer to
  kill long-running processes.
