add sshd_config change
|Deletions are marked like this.||Additions are marked like this.|
|Line 11:||Line 11:|
|* New debconf default: openssh-server openssh-server/permit-root-login boolean false|
See also the release notes.
Status of Debian Edu "Jessie"
Most resources moved to git, see SVN2Git Migration Status page
As the local repo is gone for now and all packages are in Debian proper, use the 'nolocal' ISO image for test installations: ftp://ftp.skolelinux.no/cd-edu-testing-nolocal-netinst/debian-edu-amd64-i386-NETINST-1.iso
Changes from Wheezy to Jessie
- Shutdown/reboot of the main server takes longer due to a default setting in squid3 (shutdown_lifetime 30 seconds).
- New debconf default: openssh-server openssh-server/permit-root-login boolean false
Known problems we want to fix
LTSP no longer installs. Probably due to 765738 affecting i386.
- The kdm login no longer seem to run the scripts in /etc/X11/Xsession.d/, causing robustness fixes to not be applied in the default setup.
The installer accept weak user passwords for the first user which are rejected by Kerberos and make it impossible to log in after boot. We should extend d-i to allow us to reject passwords kerberos is going to reject. (364526)
- PXE installation ask for mirror, while it should use the same mirror as the server used when it was installed.
The first user created in LDAP can log in, but the second and third can not. Changing "Password Storage" for these in GOSA from default ssha to sha and re-assigning a password helped. See mailing list. [ssha -> sha eems to be unneeded.]
Usability issue: The default browser Iceweasel fail to show files with MIME types text/* (like for example diffs or source code) in the browser, and instead pop up a dialog only offering to save the file or pass it on to an external program (600266). This make it hard for users to look at fairly normal text documents. Chromium show text/* files in the browser.
- The cups management site 'www:631' doesn't work any longer. Remote printer management should be documented.
The munin clients do not allow the munin server to talk to them (Denying connection from: ::ffff:10.0.2.1 in /var/log/munin/munin-node.log. This is caused by the systemd service being different from the init.d script (764594).
- slbackup-php: It is not possible to log into the web service using the root password. [Caused by sshd configuration: root access with password now disabled by default.] The web page isn't localized.
- Workstations are not able to NFS mount home0 from the tjener, even if they are in the workstation-hosts netgroup granting access. [Needs evaluation: ntp.conf related? Does commenting out the debian pool ntp servers fix the problem?]
- SMTP reject email from cron on all other machines, and refuse email from everyone without a kerberos ticket.
Known problems, unlikely to be fixed
The command 'net time' causes a segmentation fault (760781).
- USB sticks with some ISO images (like the Debian Edu netinst one) dd'ed to don't work (user doesn't get notified, filemanager doesn't show the stick, fdisk can't access the device due to a possibly wrong partition table). [So this is rather an ISO file problem.]
Fixed in git
Fixed in unstable (related packages accepted in unstable)
Recently made LDAP entries get lost if the system is rebooted or powered off (764225). As a workaround stop slapd before shutting the system down. [This issue seems to be unreprocubible now. Feedback?]
Kerberos/LDAP startup with systemd is unreliable (758992). This seems to affect diskless workstations as well (homedir not mounted).
Duplicate entries in /etc/udev/rules.d/70-persistent-net.rules for the network card on a Thinkpad X200 caused eth0 to be missing when installing a workstation, making it impossible to log in after installation. etckeeper show that the duplicate entry originates from d-i before pre-pkgsel.d. It was present before debian-edu-config was installed by d-i. (765577) Workaround implemented in debian-edu-config (pre-pkgsel script).
Grub ask users to enter /dev/ path to hard drive on a single hard drive machine (712907) (763580), fixed in grub-installer version 1.98, reintroduced on purpose in version 1.99. Workaround implemented in debian-edu-config (pre-pkgsel script).
Usability issue: the KDE file manager fail to play Ogg Theora videos recorded by gtk-recordmydesktop because file report mime type "application/ogg" instead of "video/ogg" (762561). Video players and processors like vlc (762564), gnome-mplayer (762565), mpv (763173), advene (763174) and handbreak (763175) should be updated to list video/ogg as a supported MIME type. The dragonplayer and kaffeine package already support video/ogg.
- The wrong Nagios configuration is used on the server. The autogenerated Nagios configuration do not seem to be enabled.
- debian-edu-artwork: background of gdm3 login screen is not the Debian Edu one.
The Kerberos TGT is valid for 10 hours as it should be. Clicking the key symbol, the krb5-auth-dialog lacks the username; the realm is OK, though (762906).
Fixed + done (related packages migrated to jessie)
Gosa allow admins to add invalid DNS names in the web interface, and the LDAP to DNS export script gladly pass them on to bind (710362), which break and take down the entire installation when the LDAP server is unknown in DNS. [Seems to be fixed in the gosa version available in jessie, see mail to bug.] ldap2zone will no longer put broken zones into production.
- On LTSP diskless workstations the homedir isn't mounted. This is caused by automounter running and blocking /skole as mountpoint for sshfs. As a workaround (to be able to test things) set RM_SYSTEM_SERVICES=autofs in /opt/ltsp/i386/etc/lts.conf.
- debian-edu-doc.git: the jessie manual is missing.
exim4-config some times fail to install, reporting "Failed to acquire random data (762103). Triggered by a bug in eatmydata, affecting all GnuTLS users. Fixed by disabling eatmydata until a fixed version enter testing.
Automatic proxy configuration fail because WPAD is ignored by the proxy command (644373)
The URL http://wpad/wpad.dat is not understood by apache and give a 404 error. It should hand out /etc/debian-edu/www/wpad.dat instead.
Started on Jessie manual, https://wiki.debian.org/DebianEdu/Documentation/Jessie
- www/sitesummary doesn't work
- Unable to find /usr/bin/rpcinfo
- pxeinstall: Unable to find PXE file /var/lib/tftpboot/pxelinux.0
Using virtual box Jessie installation is broken because hw-setup call discover-pkginstall, which hangs (760144).
- Samba/LDAP setup fails due to a failure reading SAMBASID during bootstrap.
- krb5kdc is not running.
- kadmind is not running.
- Kerberos service is not listening on kerberos/udp.
- Kerberos service is not listening on kpasswd/tcp.
- Kerberos service is not listening on kerberos-adm/tcp.
- getent failed to find file group 'students'.
- samba: missing Domain Admins in samba groupmap.
- webcache: squid is not running.
Installation of desktops fail because of a postinst bug in lilypond-doc (758787), triggered by lilypond-doc being recommended by lilypond (653263), a dependency of rosegarden, but the fix fail to propagate to testing because of build failures on powerpc and mips (760794).
Rosegarden is no longer installed. It was removed from the music task as a workaround for a bug in lilypond (758787). When lilypond build on powerpc and mips (760794), rosegarden can be reinserted in the task.
- Installing using desktop=lxde or xfce end up without any display manager enabled, thanks to preseeding shared/default-x-display-manager to kdm while lightdm is installed.
Automatic partitioning fail when reinstalling, because partman refuses to "reuse" swap partition in LVM (757818)
- ldap-client: Not only one PAM module of krb5, ldap and sss is enabled
- pxeinstall is broken due to a typo in debian-edu-pxeinstall.
debian-edu-doc.git: scripts/get_manual is broken, probably due to wiki (show content in raw/docbook layout) changes (762025).
Mostly stuff for Jessie (the release after Wheezy)
- make it easier to use another, already existing, directory server, be it LDAP or AD.
- Include FAI to easily install customized machines (Skolelinux RLP and Musterösung BW use Images (why?), can we do something comparable with FAI?
- Make the installer more flexible. Make it possible to choose KDE/GNOME/all educational packages/Debian default. (Waiting several hours installing Tjener+LTSP seems to scare away testers and developers).
- Continue cleanup. What is left back in our d-e-packages that's not needed anymore? Strip down things to the necessary, we are not able to maintain more. What can and should be addressed in Debian?
- Preconfigured LXDE by default as Thin-Client?
- Preconfigured educational desktop (if chosen in the installer).
- Make it possible to choose LTSP chroot arch (i386/amd64)