IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 6 September 2022   (all times are UTC)

01:52vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)
02:43we6jbo has joined IRC (we6jbo!~we6jbo@2603-8001-5b43-4000-97a4-3474-13d2-4d16.res6.spectrum.com)
04:18vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)
04:34we6jbo has left IRC (we6jbo!~we6jbo@2603-8001-5b43-4000-97a4-3474-13d2-4d16.res6.spectrum.com, Quit: Leaving.)
05:37ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
07:49
<alkisg>
!lower
07:49
<ltspbot>
I do not know about 'lower', but I do know about these similar topics: 'lowercase-mac'
07:50
<alkisg>
!lowercase-mac
07:50
<ltspbot>
lowercase-mac: The new ltsp.conf expects mac addresses in lowercase. Here's a command to convert them: sed -E 's/([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}/\L&/' -i ltsp.conf
09:40woernie has left IRC (woernie!~werner@p5ddec955.dip0.t-ipconnect.de, Remote host closed the connection)
11:02woernie has joined IRC (woernie!~werner@p578bb7b6.dip0.t-ipconnect.de)
11:24ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
11:39Alexthek1d has joined IRC (Alexthek1d!~Alexthek1@p5b3ae57d.dip0.t-ipconnect.de)
12:09ricotz has joined IRC (ricotz!~ricotz@ubuntu/member/ricotz)
12:23woernie has left IRC (woernie!~werner@p578bb7b6.dip0.t-ipconnect.de, Remote host closed the connection)
13:44oh207 has joined IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
13:56oh207 has left IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Quit: Konversation terminated!)
14:01oh207 has joined IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
14:10oh207 has left IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Ping timeout: 260 seconds)
14:10oh207_ has joined IRC (oh207_!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
14:34oh207 has joined IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
14:35oh207_ has left IRC (oh207_!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Ping timeout: 252 seconds)
14:44oh207 has left IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Ping timeout: 268 seconds)
15:16Alexthek1d has left IRC (Alexthek1d!~Alexthek1@p5b3ae57d.dip0.t-ipconnect.de, Quit: Leaving)
16:09oh207 has joined IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
16:18oh207_ has joined IRC (oh207_!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net)
16:19oh207 has left IRC (oh207!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Ping timeout: 244 seconds)
16:21vagrantc has joined IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20)
18:15samop has joined IRC (samop!~samop@APN-123-250-202-gprs.simobil.net)
18:27moi100 has joined IRC (moi100!~moi@2a01cb0c0993a80025281b2ef97194bd.ipv6.abo.wanadoo.fr)
18:28
<moi100>
Hello
18:33moi100 has left IRC (moi100!~moi@2a01cb0c0993a80025281b2ef97194bd.ipv6.abo.wanadoo.fr, Quit: Client closed)
18:44
<samop>
Hi all, I've been using LTSP6 for about 7 years now, updating Ubuntu until 18.04 and now it is time to move on. I was happy to see that LTSP is actively developing -- kudos to you guys ;) , and I was happy to see the new LTSP is waaay better. I managed to get everything running in a day, but before I deploy my new setup I came across one obstacle.
18:44
We are using external LDAP server to authenticate users and with ltsp19 it works better than before (I've manually tweaked some config's to make it work up to now). So, my LDAP is perfectly working, but I want to authenticate towards LDAP simultanously with local passwd file on server (or in image) and somehow I was unable to configure ltsp to use
18:44
double authentication. So it is either ldap or local users, but not both. Searching through irc archives I've came across a conversation mentioning this is normal behaviour. However, is there any chance to activate checking user against ldap and local users? Playing with PAM_AUTH_TYPE=Primary worked to some extent, but the home directories were
18:44
created locally and were erased after logout, not being permanent. Also value of 0 had the effect of removing all local users. So, is there a trick where I could get local user authentication as well as LDAP simultaneously?
18:46
I have started with configuring the image in May, and I updated ltsp only yesterday, so maybe there is a new option I don't know about and maybe some behaviour has changed since then, but I really don't know what to try next :(
18:47
<alkisg>
samop: I'm not sure if it's a matrix issue but your post came out garbled
18:48
It should be possible to have both pamltsp and sssd installed in pam
18:51
Unfortunately it might require a bit of fiddling, I don't remember the necessary options off hand
18:52samop0[m] has joined IRC (samop0[m]!~samop0mat@2001:470:69fc:105::2:7a6f)
18:53
<samop0[m]>
Hi, I've created matrix account and not using irc to potentially garbling the posts :)
18:53
<alkisg>
👍
18:54
<samop0[m]>
Thank you for the reply. You've pointed me into a general direction and I will try to investigate on how it can be done.
18:54samop has left IRC (samop!~samop@APN-123-250-202-gprs.simobil.net, Quit: Client closed)
18:55
<alkisg>
You will indeed need to force pam=primary
18:55
Make sure ssh from the client to the server works
18:55
<samop0[m]>
So, if I got this straight - I need sssd for local users and ldap for remote users.
18:56
<alkisg>
No, sssd is an ldap client implementation
18:56
For usual ltsp users based on ssh, you need pamltsp, which is what pam primary does
18:57
<samop0[m]>
I see, so instead od nslcd I need sssd :/
18:58
<alkisg>
If nslcd is properly registered in Pam then you can use that one as well
18:58
If you want I will be online in half an hour, I could take a look with VNC then
19:00
<samop0[m]>
I don't want to take too much of your time, but if you will get any idea on how to solve the issue, that would be great.
19:06
<alkisg>
It will need pam = primary and some hands on troubleshooting. It's not a frequent setup so I can't give any more advice without spending some time on it
19:11
<samop0[m]>
With pam_auth_type=Primary, the /etc/shadow on the client is rewritten and the line with given username says: username:pamltsp::::::: instead of username:encrypted_password:::::::
19:11
<alkisg>
That's what you want; the "local" users are the server local users, not the image local users
19:11
Then home gets mounted over sshfs
19:12
Or do you actually want users from the chroot/image? Where would /home/username come from then?
19:13
<samop0[m]>
No, no... server local users.
19:13
Aha, so this is normal that shadow is rewritten...
19:13
<alkisg>
Yes, we don't want any secrets on the network/chroot/ltsp client
19:13
So no hashes in shadow
19:14
<samop0[m]>
It makes sense with my experience. If I fix shadow as root, I can login, but it's not servers home dir that is being mounted.
19:14
<alkisg>
login username, when username has pamltsp in shadow, should be handled by pamltsp, and should mount /home/username via sshfs from the server
19:17
<samop0[m]>
Now, that you are saying it, it makes perfect sense. I have to see elsewhere, since when I enter server's username and password, it says that the password id invalid and doesn't continue. ldap users however can login.
19:29
Furthermore, what I find interesting if I run "id" command in the client on the ldap user or the server's local user I get replies on both inquiries. As if user is visible to the system, but I cannot log in (nor use "su" with local user within the client)
19:33vagrantc has left IRC (vagrantc!~vagrant@2600:3c01:e000:21:7:77:0:20, Quit: leaving)
19:44
<alkisg>
Does ssh user@server work?
19:45
(from the client, using the local user)
19:47
<samop0[m]>
yes, it does.
19:50rodriguez^jarvis has joined IRC (rodriguez^jarvis!~rodriguez@216.200.69.154)
19:50
<rodriguez^jarvis>
how would I add a second server?
19:55rodriguez^jarvis has left IRC (rodriguez^jarvis!~rodriguez@216.200.69.154, Ping timeout: 252 seconds)
20:06oh207_ has left IRC (oh207_!~oh207@pool-72-69-251-225.nycmny.fios.verizon.net, Ping timeout: 240 seconds)
20:17
<samop0[m]>
Just to furthermore clarify my advancement: I've added PAM_AUTH_TYPE = "Primary" and rebuilt the image file and I've got working local user logins, however, ldap users can login, but their homes are not munted via sshfs. I think you wanted to warn me about fiddling with options. So, I am staying with primary and I will try to somehow persuade to mount users via ldap. I am looking into client/login/pamltsp to see what "Primary" option has
20:17
changed.
20:25
<alkisg>
Hmm, on second thought I think you'll need both primary for local users AND additional for the sshfs mounts of LDAP users; that will certainly need tweaking the sources, I don't think I have an option for both of them
20:25
The alternative would be to use nfs instead of sshfs; that wouldn't need tweaking the sources
20:28
<samop0[m]>
The alternative is to mount the whole /home directory via nfs? I could try this. Do I need to disable sshfs in ltsp.conf? or just running ltsp nfs -h will suffice?
20:29
I am not afraid to tweak the sources, but I think I will mess up somewhere :D.
20:47
<alkisg>
Read this one: https://ltsp.org/man/ltsp-nfs/#examples
20:59
<samop0[m]>
This works :D. With Primary and home directory as NFS. There is only one drawback and that is that all user's home directories are listed for every user under /home. Not a big deal in my case.
20:59
It is a nice clean solution ;)
21:21
Thank you, it really works nicely. Hopefully performance will not suffer when it will run in classroom of 20+ people :D
21:21ricotz has left IRC (ricotz!~ricotz@ubuntu/member/ricotz, Quit: Leaving)
22:42we6jbo has joined IRC (we6jbo!~we6jbo@2603-8001-5b43-4000-8d09-180e-3bed-ed3a.res6.spectrum.com)
22:55we6jbo has left IRC (we6jbo!~we6jbo@2603-8001-5b43-4000-8d09-180e-3bed-ed3a.res6.spectrum.com, Ping timeout: 244 seconds)
23:08we6jbo has joined IRC (we6jbo!~we6jbo@2603-8001-5b43-4000-8d09-180e-3bed-ed3a.res6.spectrum.com)