From af83e2531f6e63693b192cb64974b4187fa10cc5 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:18:53 +0100 Subject: [PATCH 1/9] add libpam-krb5 to package dependencies. --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 77de2f5..80ed873 100644 --- a/debian/control +++ b/debian/control @@ -1,12 +1,12 @@ Source: linuxmuster-linuxclient7 Section: linuxmuster Priority: optional -Maintainer: Dorian Zedler , Andreas Till +Maintainer: Dorian Zedler , Thomas Schmitt Build-Depends: debhelper (>= 5.0.0) Standards-Version: 5.0.0 Package: linuxmuster-linuxclient7 Architecture: all -Depends: python3, python3-ldap, cifs-utils, ldb-tools, bind9-host, ipcalc, hxtools, network-manager, krb5-user, keyutils, samba, sssd, sssd-tools, libsss-sudo, adcli, libpam-sss, sudo, realmd, cups (>= 2.3.0), coreutils +Depends: python3, python3-ldap, cifs-utils, ldb-tools, bind9-host, ipcalc, hxtools, network-manager, krb5-user, libpam-krb5, keyutils, samba, sssd, sssd-tools, libsss-sudo, adcli, libpam-sss, sudo, realmd, cups (>= 2.3.0), coreutils Description: Package for Ubuntu clients to connect to the linuxmuster.net 7 active directory server. Conflicts: linuxmuster-client-adsso, linuxmuster-client-adsso7, ni-lmn-client-adsso From e96637b920ce8c70847fb651850cf9bb62c66345 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:20:16 +0100 Subject: [PATCH 2/9] add full path of linuxmuster-linuxclient7. --- etc/profile.d/99-linuxmuster-linuxclient7.sh | 2 +- .../linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/profile.d/99-linuxmuster-linuxclient7.sh b/etc/profile.d/99-linuxmuster-linuxclient7.sh index 9b025a6..ab5b0f5 100755 --- a/etc/profile.d/99-linuxmuster-linuxclient7.sh +++ b/etc/profile.d/99-linuxmuster-linuxclient7.sh @@ -1,2 +1,2 @@ -scriptDir=$(linuxmuster-linuxclient7 get-constant scriptDir) +scriptDir=$(/usr/sbin/linuxmuster-linuxclient7 get-constant scriptDir) source $scriptDir/executeHookWithEnvFix.sh onLogin \ No newline at end of file diff --git a/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh b/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh index db35bde..4af1657 100755 --- a/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh +++ b/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh @@ -1,7 +1,7 @@ # This script calls the desired hook and sources the temporary env # file afterwards to apply environment changes from lmn-export and lmn-unset -scriptDir=$(linuxmuster-linuxclient7 get-constant scriptDir) +scriptDir=$(/usr/sbin/linuxmuster-linuxclient7 get-constant scriptDir) if [ ! -f $scriptDir/$1 ]; then echo "Unknown hook: $1!" @@ -10,7 +10,7 @@ if [ ! -f $scriptDir/$1 ]; then fi export LinuxmusterLinuxclient7EnvFixActive=1 -tmpEnvFile=$(linuxmuster-linuxclient7 get-constant tmpEnvironmentFilePath) +tmpEnvFile=$(/usr/sbin/linuxmuster-linuxclient7 get-constant tmpEnvironmentFilePath) rm -f $tmpEnvFile From aa98701df386a790dec940b0bbbeca677a0f519c Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:21:56 +0100 Subject: [PATCH 3/9] add krb5 to pam configuration. --- .../python3/dist-packages/linuxmusterLinuxclient7/setup.py | 4 ++-- .../linuxmuster-linuxclient7/templates/common-session | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py b/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py index 85994fe..a8b2ba7 100644 --- a/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py +++ b/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py @@ -246,9 +246,9 @@ def _prepareNetworkConfiguration(domain): def _preparePam(): # enable necessary pam modules logging.info('Updating pam configuration ... ') - subprocess.call(['pam-auth-update', '--package', '--enable', 'libpam-mount', 'pwquality', 'sss', '--force']) + subprocess.call(['pam-auth-update', '--package', '--enable', 'krb5', 'libpam-mount', 'pwquality', 'sss', '--force']) ## mkhomedir was injected in template not using pam-auth-update - subprocess.call(['pam-auth-update', '--package', '--remove', 'krb5', 'mkhomedir', '--force']) + subprocess.call(['pam-auth-update', '--package', '--remove', 'mkhomedir', '--force']) return True diff --git a/usr/share/linuxmuster-linuxclient7/templates/common-session b/usr/share/linuxmuster-linuxclient7/templates/common-session index 970624b..95ac488 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/common-session +++ b/usr/share/linuxmuster-linuxclient7/templates/common-session @@ -35,7 +35,8 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session required pam_unix.so -session optional pam_sss.so -session optional pam_systemd.so +session optional pam_krb5.so minimum_uid=1000 +session required pam_unix.so +session optional pam_sss.so +session optional pam_systemd.so # end of pam-auth-update config From 427f99a9dd50a307e91cff8c5f20bfb58f65d865 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:22:43 +0100 Subject: [PATCH 4/9] extend krb5 configuration. --- .../templates/krb5.conf | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/usr/share/linuxmuster-linuxclient7/templates/krb5.conf b/usr/share/linuxmuster-linuxclient7/templates/krb5.conf index 414931f..2f98b4d 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/krb5.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/krb5.conf @@ -4,7 +4,24 @@ # [libdefaults] - default_realm = @@realm@@ - default_ccache_name = FILE:/tmp/krb5cc_%{uid} - ticket_lifetime = 24h - renew_lifetime = 7d + default_realm = @@realm@@ + dns_lookup_realm = false + dns_lookup_kdc = false + default_ccache_name = FILE:/tmp/krb5cc_%{uid} + ticket_lifetime = 24h + renew_lifetime = 7d + udp_preference_limit = 0 + rdns = false + +[realms] + @@realm@@ = { + admin_server = @@serverHostname@@ + kdc = @@serverHostname@@ + } + +[domain_realm] + .@@domain@@ = @@realm@@ + +[logging] + # Log everything to syslog. Default is severity of ERR and facility of AUTH. + default = SYSLOG From 35dea4ad6de1c7df6e447acd4b843e28cb5538e8 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:23:18 +0100 Subject: [PATCH 5/9] update nsswitch.conf. --- usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf b/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf index aa7fbdf..7205a55 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf @@ -3,8 +3,8 @@ # WARNING! All changes to this file will be overwritten by linuxmuster-linuxclient7 setup and upgrade! # -passwd: files systemd sss -group: files systemd sss +passwd: compat sss +group: compat sss shadow: files sss gshadow: files From 04c84d902c68d2af400e97b8544039c67e9cb91c Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:24:00 +0100 Subject: [PATCH 6/9] change security to ads in smb.conf. --- usr/share/linuxmuster-linuxclient7/templates/smb.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/linuxmuster-linuxclient7/templates/smb.conf b/usr/share/linuxmuster-linuxclient7/templates/smb.conf index aac5bec..61fd007 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/smb.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/smb.conf @@ -7,6 +7,6 @@ client signing = yes client use spnego = yes kerberos method = secrets and keytab -security = user +security = ads tls verify peer = ca_and_name tls cafile = /var/lib/samba/private/tls/@@domain@@.pem From 55b501760a6c12af502a86d5fd9e4b9fbc5ceba4 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Mon, 27 Oct 2025 14:26:51 +0100 Subject: [PATCH 7/9] update changelog. --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index 1b6d478..c9bdce5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +linuxmuster-linuxclient7 (1.1.0) lmn73-testing; urgency=medium + + * implemented debian 13 compatibility. + + -- Thomas Schmitt Fri, 24 Oct 2025 13:21:21 +0200 + linuxmuster-linuxclient7 (1.0.11) lmn73; urgency=medium * Merge pull request #76 from ks98/master, fixes mount problems with Kerberos after cifs-utils update. From 240a9fb515cf3bd491c74140dbdc48d5803a90e9 Mon Sep 17 00:00:00 2001 From: HappyBasher Date: Sat, 1 Nov 2025 11:49:59 +0100 Subject: [PATCH 8/9] Revert "Trixie" --- debian/changelog | 6 ----- debian/control | 4 +-- etc/profile.d/99-linuxmuster-linuxclient7.sh | 2 +- .../linuxmusterLinuxclient7/setup.py | 4 +-- .../scripts/executeHookWithEnvFix.sh | 4 +-- .../templates/common-session | 7 +++--- .../templates/krb5.conf | 25 +++---------------- .../templates/nsswitch.conf | 4 +-- .../templates/smb.conf | 2 +- 9 files changed, 17 insertions(+), 41 deletions(-) diff --git a/debian/changelog b/debian/changelog index c9bdce5..1b6d478 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,3 @@ -linuxmuster-linuxclient7 (1.1.0) lmn73-testing; urgency=medium - - * implemented debian 13 compatibility. - - -- Thomas Schmitt Fri, 24 Oct 2025 13:21:21 +0200 - linuxmuster-linuxclient7 (1.0.11) lmn73; urgency=medium * Merge pull request #76 from ks98/master, fixes mount problems with Kerberos after cifs-utils update. diff --git a/debian/control b/debian/control index 80ed873..77de2f5 100644 --- a/debian/control +++ b/debian/control @@ -1,12 +1,12 @@ Source: linuxmuster-linuxclient7 Section: linuxmuster Priority: optional -Maintainer: Dorian Zedler , Thomas Schmitt +Maintainer: Dorian Zedler , Andreas Till Build-Depends: debhelper (>= 5.0.0) Standards-Version: 5.0.0 Package: linuxmuster-linuxclient7 Architecture: all -Depends: python3, python3-ldap, cifs-utils, ldb-tools, bind9-host, ipcalc, hxtools, network-manager, krb5-user, libpam-krb5, keyutils, samba, sssd, sssd-tools, libsss-sudo, adcli, libpam-sss, sudo, realmd, cups (>= 2.3.0), coreutils +Depends: python3, python3-ldap, cifs-utils, ldb-tools, bind9-host, ipcalc, hxtools, network-manager, krb5-user, keyutils, samba, sssd, sssd-tools, libsss-sudo, adcli, libpam-sss, sudo, realmd, cups (>= 2.3.0), coreutils Description: Package for Ubuntu clients to connect to the linuxmuster.net 7 active directory server. Conflicts: linuxmuster-client-adsso, linuxmuster-client-adsso7, ni-lmn-client-adsso diff --git a/etc/profile.d/99-linuxmuster-linuxclient7.sh b/etc/profile.d/99-linuxmuster-linuxclient7.sh index ab5b0f5..9b025a6 100755 --- a/etc/profile.d/99-linuxmuster-linuxclient7.sh +++ b/etc/profile.d/99-linuxmuster-linuxclient7.sh @@ -1,2 +1,2 @@ -scriptDir=$(/usr/sbin/linuxmuster-linuxclient7 get-constant scriptDir) +scriptDir=$(linuxmuster-linuxclient7 get-constant scriptDir) source $scriptDir/executeHookWithEnvFix.sh onLogin \ No newline at end of file diff --git a/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py b/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py index a8b2ba7..85994fe 100644 --- a/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py +++ b/usr/lib/python3/dist-packages/linuxmusterLinuxclient7/setup.py @@ -246,9 +246,9 @@ def _prepareNetworkConfiguration(domain): def _preparePam(): # enable necessary pam modules logging.info('Updating pam configuration ... ') - subprocess.call(['pam-auth-update', '--package', '--enable', 'krb5', 'libpam-mount', 'pwquality', 'sss', '--force']) + subprocess.call(['pam-auth-update', '--package', '--enable', 'libpam-mount', 'pwquality', 'sss', '--force']) ## mkhomedir was injected in template not using pam-auth-update - subprocess.call(['pam-auth-update', '--package', '--remove', 'mkhomedir', '--force']) + subprocess.call(['pam-auth-update', '--package', '--remove', 'krb5', 'mkhomedir', '--force']) return True diff --git a/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh b/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh index 4af1657..db35bde 100755 --- a/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh +++ b/usr/share/linuxmuster-linuxclient7/scripts/executeHookWithEnvFix.sh @@ -1,7 +1,7 @@ # This script calls the desired hook and sources the temporary env # file afterwards to apply environment changes from lmn-export and lmn-unset -scriptDir=$(/usr/sbin/linuxmuster-linuxclient7 get-constant scriptDir) +scriptDir=$(linuxmuster-linuxclient7 get-constant scriptDir) if [ ! -f $scriptDir/$1 ]; then echo "Unknown hook: $1!" @@ -10,7 +10,7 @@ if [ ! -f $scriptDir/$1 ]; then fi export LinuxmusterLinuxclient7EnvFixActive=1 -tmpEnvFile=$(/usr/sbin/linuxmuster-linuxclient7 get-constant tmpEnvironmentFilePath) +tmpEnvFile=$(linuxmuster-linuxclient7 get-constant tmpEnvironmentFilePath) rm -f $tmpEnvFile diff --git a/usr/share/linuxmuster-linuxclient7/templates/common-session b/usr/share/linuxmuster-linuxclient7/templates/common-session index 95ac488..970624b 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/common-session +++ b/usr/share/linuxmuster-linuxclient7/templates/common-session @@ -35,8 +35,7 @@ session required pam_permit.so # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) -session optional pam_krb5.so minimum_uid=1000 -session required pam_unix.so -session optional pam_sss.so -session optional pam_systemd.so +session required pam_unix.so +session optional pam_sss.so +session optional pam_systemd.so # end of pam-auth-update config diff --git a/usr/share/linuxmuster-linuxclient7/templates/krb5.conf b/usr/share/linuxmuster-linuxclient7/templates/krb5.conf index 2f98b4d..414931f 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/krb5.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/krb5.conf @@ -4,24 +4,7 @@ # [libdefaults] - default_realm = @@realm@@ - dns_lookup_realm = false - dns_lookup_kdc = false - default_ccache_name = FILE:/tmp/krb5cc_%{uid} - ticket_lifetime = 24h - renew_lifetime = 7d - udp_preference_limit = 0 - rdns = false - -[realms] - @@realm@@ = { - admin_server = @@serverHostname@@ - kdc = @@serverHostname@@ - } - -[domain_realm] - .@@domain@@ = @@realm@@ - -[logging] - # Log everything to syslog. Default is severity of ERR and facility of AUTH. - default = SYSLOG + default_realm = @@realm@@ + default_ccache_name = FILE:/tmp/krb5cc_%{uid} + ticket_lifetime = 24h + renew_lifetime = 7d diff --git a/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf b/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf index 7205a55..aa7fbdf 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/nsswitch.conf @@ -3,8 +3,8 @@ # WARNING! All changes to this file will be overwritten by linuxmuster-linuxclient7 setup and upgrade! # -passwd: compat sss -group: compat sss +passwd: files systemd sss +group: files systemd sss shadow: files sss gshadow: files diff --git a/usr/share/linuxmuster-linuxclient7/templates/smb.conf b/usr/share/linuxmuster-linuxclient7/templates/smb.conf index 61fd007..aac5bec 100644 --- a/usr/share/linuxmuster-linuxclient7/templates/smb.conf +++ b/usr/share/linuxmuster-linuxclient7/templates/smb.conf @@ -7,6 +7,6 @@ client signing = yes client use spnego = yes kerberos method = secrets and keytab -security = ads +security = user tls verify peer = ca_and_name tls cafile = /var/lib/samba/private/tls/@@domain@@.pem From f7be82da62474d96dcfc10837fcf70e773bebf0a Mon Sep 17 00:00:00 2001 From: "highTower.SU" <3651850+highTowerSU@users.noreply.github.com> Date: Wed, 5 Nov 2025 18:20:11 +0100 Subject: [PATCH 9/9] added role-parents und role-staff to sudoers.de --- etc/sudoers.d/99-linuxmuster-linuxclient7 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/sudoers.d/99-linuxmuster-linuxclient7 b/etc/sudoers.d/99-linuxmuster-linuxclient7 index f5ba9b9..98728e0 100644 --- a/etc/sudoers.d/99-linuxmuster-linuxclient7 +++ b/etc/sudoers.d/99-linuxmuster-linuxclient7 @@ -4,5 +4,7 @@ %examusers ALL=(root) NOPASSWD: /usr/share/linuxmuster-linuxclient7/scripts/sudoTools %role-student ALL=(root) NOPASSWD: /usr/share/linuxmuster-linuxclient7/scripts/sudoTools %role-teacher ALL=(root) NOPASSWD: /usr/share/linuxmuster-linuxclient7/scripts/sudoTools +%role-parents ALL=(root) NOPASSWD: /usr/share/linuxmuster-linuxclient7/scripts/sudoTools +%role-staff ALL=(root) NOPASSWD: /usr/share/linuxmuster-linuxclient7/scripts/sudoTools %role-schooladministrator ALL=(ALL:ALL) NOPASSWD: ALL %role-globaladministrator ALL=(ALL:ALL) NOPASSWD: ALL