/!\ Before explaining how to upgrade, please note, that you do this update on your productive server on your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Please read this chapter completly before attempting to upgrade.

General notes on upgrading

Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunatly not yet true as we heavily modify configuration files in ways we shouldn't do. (See Debian bug 311188 for more information.) Upgrading is still possible but might requiere some work.

In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade. The diskless machines are easy, as their chroot environment can be deleted and recreated, if you haven't modified it. If you have, the chroot is basically a workstation chroot anyway, so rather easy to upgrade.

If you want to be sure that after the upgrade everything works like before , you should test the upgrade on (a) test systems, which are configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.

Make sure to also read the information about the Debian lenny release from its installation manual.

Also it might be wise to wait a bit and keep running etch for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu etch will receive continued support for some time in the future, but when Debian ceases support for etch, Debian Edu will (have to) do that too. This is expected to happen on Febrary 16th, 2010.

Upgrades from Debian Edu etch

/!\ Be prepared: make sure you have tested the upgrade from Etch in a test environment or have backups ready to be able to go back.

The basic upgrade operation

  1. Edit /etc/apt/sources.list and replace all occurances of "etch" with "lenny".

  2. run apt-get update

  3. run apt-get upgrade

  4. run apt-get dist-upgrade

LDAP service needs to repaired

Upgrading the debian-edu-config package on tjener is likely to disrupt some services:

  1. slapd wouldn't start.
    It may keep running until next restart, then if it gives:

     tjener:~# invoke-rc.d slapd start
     Starting OpenLDAP: slapd - failed.
     The operation failed but no output was produced. For hints on what went
     wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
     try running the daemon in Debug mode like via "slapd -d 16383" (warning:
     this will create copious output).
     Below, you can find the command line options used by this script to
     run slapd. Do not forget to specify those options if you
     want to look to debugging output:
     slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf                     -4

    And searching /var/log/syslog yelds something like:
    tjener slapd[8894]: could not stat config file "/etc/ldap/schema/dnsdomain2.schema": No such file or directory (2)
    then as a temporary measure to get it running until DNS is sorted.

    1. Comment out the line include   /etc/ldap/schema/dnsdomain2.schema in /etc/ldap/slapd.conf.

    2. Run invoke-rc.d slapd start

Some new indexes have been added to openldap's configuration. in order to benefit from these you need to regenerate indexes:

  1. stop slapd.  invoke-rc.d slapd stop 

  2. check syslog or ps output that it have truly stopped.
  3. run  sudo -u openldap slapindex 

  4. start slapd with  invoke-rc.d slapd start 

DHCP service needs to repaired

  1. dhcp3-server wouldn't start.
    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit http://www.isc.org/sw/dhcp/
     /etc/dhcp3/dhcpd.conf line 2: semicolon expected.
     ldap-server "ldap"
     /etc/dhcp3/dhcpd.conf line 3: semicolon expected.
     ldap-port 389;
     /etc/dhcp3/dhcpd.conf line 4: semicolon expected.
     ldap-base-dn  "dc=skole,dc=skolelinux,dc=no"
     /etc/dhcp3/dhcpd.conf line 5: semicolon expected.
     ldap-dhcp-server-cn "dhcp"
     /etc/dhcp3/dhcpd.conf line 6: semicolon expected.
     ldap-method dynamic;
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.

    Then installing dhcp3-server-ldap is needed install it. Use your favorite package management front-end or run:

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install dhcp3-server-ldap

    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit http://www.isc.org/sw/dhcp/
     Connecting to LDAP server ldap:389
     Successfully logged into LDAP server ldap
     Cannot find host LDAP entry dhcp (&(objectClass=dhcpServer)(cn=dhcp))
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.
    Then DHCP configuration needs loading into LDAP. Two ways to do it are:
    1. To load an existing configuration into the database:
      1. Locate the appropriate dhcp.conf, the last one should be in /etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old or get one from backups.

      2. Extract /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl.gz

      3. Set /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl executable.

      4. Run /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl, optionaly with --help first or read the comments in code.

      5. View and check the resulting ldif file. Though DHCP is likely to function fine with this file, to keep as close as possible to the default configuration it is probably best to keep the entries for the configured individual hosts and replace the general entries (i.e. dhcpService, dhcpSharedNetwork, dhcpSubnet, etc.) with those from etc/ldap/dhcp.ldif.

      6. Load the resulting ldif file to the LDAP database.
      7. Start dhcp3-server.

       tjener:~# cd /usr/share/doc/dhcp3-server-ldap/
       tjener:/usr/share/doc/dhcp3-server-ldap# gunzip dhcpd-conf-to-ldap.pl.gz
       tjener:/usr/share/doc/dhcp3-server-ldap# chmod 0744 dhcpd-conf-to-ldap.pl
       tjener:/usr/share/doc/dhcp3-server-ldap# ./dhcpd-conf-to-ldap.pl --server "dhcp" \
       >     --basedn "dc=skole,dc=skolelinux,dc=no" \
       >     --dhcpdn "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" \
       >     --conf "/etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old" --ldif "/etc/ldap/migrate-dhcp.ldif"
       Creating LDAP Configuration with the following options:
              Base DN: dc=skole,dc=skolelinux,dc=no
              DHCP DN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
              Server DN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
       tjener:/usr/share/doc/dhcp3-server-ldap# cd /etc/ldap/
       tjener:/etc/ldap# # At this point it's recommended to view migrate-dhcp.ldif side by side
       tjener:/etc/ldap# # with dhcp.ldif and make some manual adjustments, before running:
       tjener:/etc/ldap# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
       >                         -f /etc/ldap/migrate-dhcp.ldif
       Enter LDAP Password:
       adding new entry "cn=dhcp, dc=skole,dc=skolelinux,dc=no"
       tjener:/etc/ldap# invoke-rc.d dhcp3-server start
        * Starting DHCP server dhcpd3                                            [ ok ]
    2. To load The fresh configuration into the database:
      If there are only few configured host and adding them later to the configuration is no bother just run ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -f /etc/ldap/dhcp.ldif

  2. Squid wouldn't start.
    If starting Squid gives:

     tjener:~# invoke-rc.d squid start
     * Starting Squid HTTP proxy squid
     2009/08/23 00:20:56| ACL name 'localnet' not defined!
     FATAL: Bungled squid.conf line 2577: http_access allow localnet
     Squid Cache (Version 2.7.STABLE3): Terminated abnormally.
    It's complaint is self explanatory. Two options to overcome this are:
    1. To keep the old /etc/squid/squid.conf just comment-out or remove the offending line http_access allow localnet.

    2. To stay current copy the new squid.conf distributed in the squid package:
       tjener:~# cd /etc/squid/
       tjener:/etc/squid# mv squid.conf etch-squid.conf
       tjener:/etc/squid# cp /usr/share/doc/squid/examples/squid.conf squid.conf
      1. To have the default Debian Edu configuration run cfengine-debian-edu

      2. Any customized settings in the old configuration should be copied from the old file ( dropping lines acl schoolnet*, acl ltspnet*, http_access allow schoolnet and http_access allow ltspnet these were replaced by the acl localnet* and *access allow localnet lines).

User logins from Windows machines needs to repaired

  1. Users can't login from Windows machines.
    A change in Samba that has become apparent in Lenny (see 532859) prevents users login to Samba unless sambaPwdLastSet attribute is set other than zero in their LDAP entry.

    1. To add the 'sambaPwdLastSet' attribute for new users to be created in lwat make sure /etc/lwat/admin.ini contain the line 'sambaPwdLastSet = 1' for each group. See also: Debian Edu bug#1364.

    2. To find which users are affected try:
      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(|(!(sambaPwdLastSet=*))(sambaPwdLastSet=0)))' uid  | less
    3. To add the 'sambaPwdLastSet' attribute to users where it isn't set try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(!(sambaPwdLastSet=*)))' dn | sed '/.\+/a\changetype: modify\nadd:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                  -f /etc/ldap/fixamba.ldif
    4. If users with 'sambaPwdLastSet = 0' were found and allowing them to login is desired, try:

      ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(sambaPwdLastSet=0))' dn | sed '/.\+/a\changetype: modify\nreplace:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif
      ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
                 -f /etc/ldap/fixamba.ldif

      See also SambaLDAP.

DNS service needs to repaired

For lenny Debian Edu has switched to powerdns as nameserver. It's however possible to stay with bind9.


If you want to continue running bind, you must add the RFC 2782 entries in /etc/bind/debian-edu/db.intern:

_ldap._tcp                      IN      SRV     0 100 389 tjener
_syslog._udp                    IN      SRV     0 100 514 tjener


To switch to powerdns:

  1. install the packages pdns-server, pdns-recursor and pdns-backend-ldap.

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install pdns-server pdns-recursor pdns-backend-ldap
  2. In /etc/ldap/slapd.conf:

    1. Uncomment the line include   /etc/ldap/schema/dnsdomain2.schema, if it was commented-out earlier (1.1).

    2. It's recommended to index associatedDomain, at the indices area add the lines:

       # PowerDNS index
       index associatedDomain         pres,eq,sub
  3. Restart slapd invoke-rc.d slapd restart.

  4. Load the DNS data into LDAP either using the default Debian Edu or the existing Bind9 configuration:
    1. To use the default Debian Edu configuration:
      1. Add the contents of /etc/ldap/dns_skole.ldif and /etc/ldap/dns_arpa.ldif using ldapadd.

         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_skole.ldif'
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_arpa.ldif'
    2. To migrate Bind's configuration:

      1. There is a utility called zone2ldap provided in the PowerDNS distribution which convert zone files used by BIND to the ldif format, it is broken in Lenny (504061), fixed packages are available in Squeeze.
        To use the one from Etch:

        1. Download etch-i386-pdns-backend-ldap.

        2. Unpack it using dpkg or dpkg-deb and replace the faulty /usr/bin/zone2ldap:

           tjener:/tmp# dpkg-deb -x pdns-backend-ldap_2.9.20-8+etch1_i386.deb \
           >                     pdns-backend-ldap_2.9.20
           tjener:/tmp# cp pdns-backend-ldap_2.9.20/usr/bin/zone2ldap /usr/bin/zone2ldap
        3. Apparently PowerDNS in Lenny ( doesn't understand AFSDB records same for `zone2ldap', when reading an AFSDB record it will quit with an error message.
          To workaround this limitation comment-out (with ' ; ') AFSDB records in the named db.* files, grep -rl AFSDB /etc/bind/* will disclose them.

        4. At last the conversion can be executed:
           tjener:~# zone2ldap --basedn='ou=hosts,dc=skole,dc=skolelinux,dc=no' --layout=tree \
           >                   --named-conf='/etc/bind/debian-edu/named-bind9.conf' --resume \
           >               > /etc/ldap/skole-zone2ldap
      2. Before the data in the new ldif file can be added to the database the "basedn" must be created:
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'
         Enter LDAP Password:
         dn: ou=hosts,dc=skole,dc=skolelinux,dc=no
         objectClass: organizationalUnit
         objectClass: domainRelatedObject
         ou: hosts
         associatedDomain: intern
      3. The format of the ldif file created by zone2ldap is suitable for `ldapmodify':

         tjener:~# ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                    -f /etc/ldap/skole-zone2ldap
  5. Time to stop bind9 and start pdns and pdns-recursor:

     tjener:~# invoke-rc.d bind9 stop
     tjener:~# invoke-rc.d pdns start
     tjener:~# invoke-rc.d pdns-recursor start
  6. After testing the new PowerDNS setup Bind9 may be disabled/removed/purged.

Nagios setup has changed

Nagios2 is not available in lenny anymore, so nagios3 is now installed.

The nagios3 configuration will already be installed and functional, though the nagios2 configuration won't be functional anymore. If you changed the nagios2 configuration, your changes will be saved in .dpkg-old files, but the changes will not be applied to the nagios3 configuration. So these changes have to be redone manually.

Recreating an LTSP chroot

On the LTSP server(s) the LTSP chroot should be recreated. The new chroot will automatically support both thin-clients and diskless workstations.

Remove /opt/ltsp/i386 (or /opt/ltsp/amd64, depending on your setup. If you have enough diskspace, consider backing it up.

Recreate the chroot by running debian-edu-ltsp && ltsp-make-client as root.

Upgrades from older Debian Edu / Skolelinux installations (before etch)

To upgrade from any older release, you will need to upgrade to the etch based Debian Edu release first, before you can follow the instructions provided above. How to upgrade to etch is described in the Manual for Debian Edu etch.