IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 21 July 2019   (all times are UTC)

00:23GodFather has left IRC (GodFather!~rcc@2600:1007:b01e:5d9:811e:ac05:a525:6b27, Read error: Connection reset by peer)
02:44ltsp has joined IRC (ltsp!bot@ltsp.org)
04:14vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
04:55ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
06:45
<uumas>
alkisg: You can use mount -v to see which nfs version is being used. Access denied is definitely not a clear indication of no nfs4 support.
06:47
Fought with nfs a while ago and that was the most frequent error, but it could mean so many different things.
07:42ogra has left IRC (ogra!~ogra_@ubuntu/member/ogra, Ping timeout: 272 seconds)
07:45ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
07:52ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 246 seconds)
07:55ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
08:05ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Remote host closed the connection)
08:55woernie has joined IRC (woernie!~werner@p57A0EC92.dip0.t-ipconnect.de)
09:02
<alkisg>
uumas: nfsmount is a special program that can be used when the "mount -t nfs" command isn't available, e.g. from the initramfs or from a live cd that doesn't have nfs-common installed
09:02
It only supports nfs3; the access denied error that it shows with nfs4 can't be solved, as it just doesn't support nfs4 at all...
09:04
When nfsroot=xxx is used in debian distros, to netboot a client, then initramfs-tools calls nfsmount (not mount -t nfs as it's not available in the initramfs)
09:04ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
09:05ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
09:08Guest66121 has joined IRC (Guest66121!~ogra_@p5098ed03.dip0.t-ipconnect.de)
09:08Guest66121 has left IRC (Guest66121!~ogra_@p5098ed03.dip0.t-ipconnect.de)
09:10
<uumas>
alkisg: Huh, that's interesting. Wouldn't it be the same to just use nfs3 for everything if it needs to be used anyway? AFAIK the only significant benefit of nfs4 is kerberos support.
09:11
<alkisg>
uumas: we can use nfs3 for root which is "public", but for /home people might need security, so nfs4+kerberos...
09:12
Additionally, I'm thinking of exporting the tftp dir over nfs3 as well, for specific use cases of synching the kernel/initrd to a local disk for loading the kernel locally before netbooting
09:12woernie has left IRC (woernie!~werner@p57A0EC92.dip0.t-ipconnect.de, Remote host closed the connection)
09:13
<alkisg>
So, the ltsp code will allow for using nfs3 for everything, and if someone needs nfs4 home, he should set it up himself...
09:14
<uumas>
I mean you could keep /srv/ltsp for root and /srv/tftp for tftp and export both using nfs3, then add the option for nfs4 home
09:14
<alkisg>
right, here's what I have: https://termbin.com/sfik
09:15
So, by default, we enable /srv/ltsp and /srv/tftp/ltsp,
09:15
and if someone uses a parameter, then we enable nfs3 home: ltsp nfs --export-home=/home
09:15
...and if he wants nfs4, he'd do it from another file in /etc/exports.d/myfile.exports, because we can't help him with kerberos anyway
09:16
(nfs4 for home only)
09:16
Does this sound sane?
09:18
<uumas>
Yeah, setting up kerberos from scratch is a loy of effort for ltsp home only.
09:18
<alkisg>
Great; we default to sshfs anyway; this is only for cases where people care about speed a not at all about security
09:18
(the nfs3 /home; while root nfs3 is needed in all cases)
09:19
Thank you for your input uumas :)
09:19
<uumas>
Yeah, that sounds good
09:20
I currently have kerberized nfs home on a separate server, mounted on the ltsp server. With ltsp19 I'll probably move to mounting them directly to the clients.
09:21
I believe ltsp19 will use pam on clients right?
09:21
<alkisg>
The ltsp clients will need a separate kerberos installation/ticket for each one?
09:21
Yes, I'm using pam_exec and authenticate via ssh/sshfs on the server, using any DM that is available, lightdm, gdm, whatever
09:23
<uumas>
I don't think they all need one. It's a bit less secure to share the keytab unencrypted, but everyone needs personal kerberos tickets to access their home anyway.
09:23ogra_ has joined IRC (ogra_!~ogra_@p57B51A10.dip0.t-ipconnect.de)
09:23
<uumas>
That's why pam is important. It'll let kerberos tickets be aquired on login.
09:23
<alkisg>
!learn ltsp-login as https://github.com/ltsp/ltsp/tree/master/ltsp/client/login is the ltsp-client applet that takes care of client login; it replaced the LDM display manager that was used in LTSP5
09:23
<ltsp>
The operation succeeded.
09:27
<alkisg>
The only think I worry about is that I'm reading the password from stdin, as provided by pam_exec; all ok so far; but I don't know if the password will still be available for other pam modules down the stack
09:28
I.e. if kerberos also needs to read the password from stdin, it might fail; if it just contacts the server to issue a ticket without caring about the user password, then of course it won't fail
09:29
E.g. does kerberos work with autologin? If yes, then no problem at all
09:29
<uumas>
It needs a password, that's what makes it secure.
09:30
I'm using setups with multiple pam modules which need the password though so it's definitely possible somehow
09:32
<alkisg>
Sure, I'm thinking it might be a possible bug in pam_exec, not a general problem with pam
09:32
I.e. if it's indeed an issue, and we report it to pam_exec, it might be solved in future versions
09:34
<uumas>
It should be possible to give the password to the krb5 module first, then ltsp?
09:34
<alkisg>
I dont think so, kerberos wouldn't know if the user is authenticated or not then; isn't it supposed to be called after authentication?
09:35
Maybe...
09:35
I've never set up kerberos so I'm missing a lot of clues there
09:36
If you want to test, you could setup a client, even a VM one, and try to add both kerberos and pamltsp there, and tell me if it works or what needs to be changed
09:38
Or you could wait and test after the release, and we can fix any shortcomings for a later ltsp 20.x release
09:40
<uumas>
I think kebreros might actually be used for authentication itself, but not sure. Pam configs are not too human-readable...
09:40
<alkisg>
Great, then sure it can go before pamltsp in the pam stack
09:41
Yeah this was my first adventure with pam, I can't say it was enjoyable
09:41
<uumas>
Where does ltsp get info like username, homedir groups etc...
09:41
<alkisg>
We want ltsp-client to be interpreted, not compiled,
09:42
so, we cant' write a proper .c based pam module (and don't have the resources for it either),
09:42
so, for pam_exec to work, we already have /etc/passwd and /etc/group from the server, but of course not shadow or gshadow
09:42
These are transferred to the client in the tftp stage, while it's getting the initramfs
09:43
Additionally, this saves us from messing with accountsservice etc, as they can read /etc/passwd and display the users normally
09:43
<uumas>
Ah, that makes sense
09:44
<alkisg>
And of course is someone is using ldap, he can just set up ldap/kerberos/nfs4 in the chroot, and not use pamltsp at all
09:45
<uumas>
That's actually my use case exactly
09:46
So why chroot and not like it's currently with ltsp5?
09:47
<alkisg>
chroots, raw VMs and chrootless are supported in ltsp19
09:47
I just said "chroots" to be brief..
09:48
*and isos too
09:48
<uumas>
Okay, good
09:48
<alkisg>
We should find a better phrase for all those... "root sources" is accurate but doesn't sound so good
09:48
<uumas>
I'm thinking that only leaves tftp+nfs root for the ltsp server am I right?
09:49
If using ldap for auth
09:49
<alkisg>
ssh authentication, and sshfs home by default; both can be overriden
09:49
right
10:37ogra_ has left IRC (ogra_!~ogra_@p57B51A10.dip0.t-ipconnect.de, Quit: Coyote finally caught me)
10:39ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:40ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:42Guest37456 has joined IRC (Guest37456!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:49Guest37456 has left IRC (Guest37456!~ogra_@p5098ed03.dip0.t-ipconnect.de, Remote host closed the connection)
10:49ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:49ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:50ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
10:56ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
11:00ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
11:06ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
11:10ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
11:15ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 258 seconds)
11:17ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
11:24ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 246 seconds)
11:43statler has joined IRC (statler!~Georg@p54897D17.dip0.t-ipconnect.de)
11:43ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
11:51ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
11:53ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
11:55ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:05ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:05ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
12:14ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
12:15ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:22ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 272 seconds)
12:24ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:26ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:31ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:32ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:32BuddyButterfly has left IRC (BuddyButterfly!~BuddyButt@h2216388.stratoserver.net, Quit: Leaving.)
12:34ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:34ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Remote host closed the connection)
12:34ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:36ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:44ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:48ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:56ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
12:57pppingme has joined IRC (pppingme!~pppingme@unaffiliated/pppingme)
13:05ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Remote host closed the connection)
13:08ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
13:14ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
13:21ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
13:27ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 258 seconds)
13:31ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
13:31vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
13:39ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
13:45ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
13:51ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
13:53vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
13:54vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
13:54ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:00ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 244 seconds)
14:04ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:10ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 272 seconds)
14:14ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:20ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 246 seconds)
14:20vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Ping timeout: 264 seconds)
14:21ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:27vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
14:33ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 248 seconds)
14:36ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:44ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 272 seconds)
14:46ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
14:52ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 268 seconds)
14:55ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
15:01ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
15:02ogra_ has joined IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de)
15:08ogra_ has left IRC (ogra_!~ogra_@p5098ed03.dip0.t-ipconnect.de, Ping timeout: 245 seconds)
15:14vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
16:36Chakal77 has left IRC (Chakal77!b1b9f0d1@177.185.240.209, Ping timeout: 260 seconds)
16:45vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
17:05adrianor1 has joined IRC (adrianor1!~adrianorg@186.215.23.188)
17:08adrianorg has left IRC (adrianorg!~adrianorg@189.58.180.149.dynamic.adsl.gvt.net.br, Ping timeout: 245 seconds)
18:00ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
18:02woernie has joined IRC (woernie!~werner@p57A0EC92.dip0.t-ipconnect.de)
18:41adrianor1 is now known as adrianorg
18:49vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
19:36woernie has left IRC (woernie!~werner@p57A0EC92.dip0.t-ipconnect.de, Remote host closed the connection)
19:49ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
20:21statler has left IRC (statler!~Georg@p54897D17.dip0.t-ipconnect.de, Remote host closed the connection)
22:04vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
23:25vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)