This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.
Part 1: DHCP and DNS
The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.
Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network 
In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.
So time to edit /etc/resolv.conf:
domain danbishop.org
search danbishop.org
nameserver 192.168.0.2
nameserver 8.8.8.8
nameserver 8.8.4.4
Now it’s time to install Dnsmasq:
sudo apt-get install dnsmasq
Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos
The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:
domain=danbishop.org #sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h #sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1 #sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative #makes this the authoritative (in this case ONLY) DHCP server on the network
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org"
address=/neo.danbishop.org/192.168.0.2
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2
address=/ldap.danbishop.org/192.168.0.2
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389
It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!
Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:
sudo service dnsmasq restart
References
https://help.ubuntu.com/community/Dnsmasq
[toc]This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.
Part 1: DHCP and DNS
The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.
Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
It's time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we'll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network :)
In this case we're going to use our own DNS server as the primary DNS, followed by Google's public DNS servers. You can of course substitute Google's servers for your own ISP's, or any other DNS server.
So time to edit /etc/resolv.conf:
domain danbishop.org
search danbishop.org
nameserver 192.168.0.2
nameserver 8.8.8.8
nameserver 8.8.4.4
Now it's time to install Dnsmasq:
sudo apt-get install dnsmasq
Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos :)
The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:
domain=danbishop.org #sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h #sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1 #sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative #makes this the authoritative (in this case ONLY) DHCP server on the network
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org"
address=/neo.danbishop.org/192.168.0.2
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2
address=/ldap.danbishop.org/192.168.0.2
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389
It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!
Dnsmasq is now configured to act as your network's DHCP server and clients are told to use your server for DNS queries. Now you're all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:
sudo service dnsmasq restart
References
https://help.ubuntu.com/community/Dnsmasq
[toc]Part 2: NTP
Your server will automatically request the time from the Ubuntu NTP servers on every boot... but hopefully you're not going to reboot it very often. It is useful for the server time to be correct when debugging and it is ESSENTIAL for the server and all the clients on the network to have the same time (±5mins by default) for Kerberos to work.
Fortunately, this is a very easy thing to configure on Ubuntu. Simply install ntpd with:
sudo apt-get install ntp
As of Ubuntu 11.04, a default pool of NTP servers will be used.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org
However you can change this by editing /etc/ntp.conf
You should also edit /etc/ntp.conf to allow the local network to use your time server:
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 192.168.0.255
References
https://help.ubuntu.com/10.04/serverguide/C/NTP.html
[toc]Part 3: OpenLDAP
OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we're going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we'll be using Kerberos for this purpose.
The first step is to install OpenLDAP along with some utilities for administering it. This process will use your hostname to configure your LDAP domina, therefore it is very important that you have set this correctly BEFORE continuing, else you will get error(49) invalid bind credentials. In this example the domain is danbishop.org and the server is called neo, so make sure /etc/hostname reads "neo.danbishop.org" if this is not the case, make this change then REBOOT. Now install OpenLDAP:
sudo apt-get install slapd ldap-utils
You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous releases is handled automatically in 11.04 and above. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run "sudo dpkg-reconfigure slapd". All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.
This is done by creating a frontend.danbishop.org.ldif file like so:
dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups
Please note: it is important that you have a new line between "ou:Users" and "dn: ou=Groups,dc=danbishop,dc=org" if you're copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!
Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):
sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif
LDAP Indices
Although the above will work just fine, LDAP will complain every time a user is looked up in the database that you haven't indexed the UIDs. Indexing allows LDAP to perform searches faster than it otherwise would. Though this increase in performance is negligible with only a few users, large scale deployments will see noticeable benefits. For the purpose of preparing for possible future expansion... and to keep our log clean, we're going to create some indices.
Create an index.ldif file:
nano index.ldif
And insert the following:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
Now we're going to run the modification like so:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f index.ldif
LDAP Authentication on the Server
LDAP doesn't actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we've setup Kerberos and created our first users we're ready to go! This is actually very easy to configure, it simply requires the installation of two packages:
sudo apt-get install libnss-ldapd libpam-ldapd
During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you'd like to enable LDAP for, you should select "group", "passwd" and "shadow". The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically. All other questions should be left with the default answer.
References
http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2
[toc]Part 4: Kerberos
It's time to install and configure Kerberos.
sudo apt-get install krb5-kdc krb5-admin-server
The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:
sudo krb5_newrealm
There will be a slight delay whilst the server gathers enough random data to continue, then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.
To configure Kerberos for NFS later, we'll need to create an admin user.
sudo kadmin.local
The following output should be observed:
Authenticating as principal root/admin@DANBISHOP.ORG with password.
kadmin.local:
Enter the following:
addprinc dan/admin
Enter a password when prompted, then quit:
WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy
Enter password for principal "dan/admin@DANBISHOP.ORG":
Re-enter password for principal "dan/admin@DANBISHOP.ORG":
Principal "dan/admin@DANBISHOP.ORG" created.
kadmin.local: quit
We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following:
# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *
Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:
sudo service krb5-admin-server restart
Now we can test everything has worked with:
kinit dan/admin
Enter the password you set when requested then run klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan/admin@DANBISHOP.ORG
Valid starting Expires Service principal
02/05/11 19:57:24 02/06/11 05:57:24 krbtgt/DANBISHOP.ORG@DANBISHOP.ORG
renew until 02/06/11 19:57:21
If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm :)
To ensure that all services (samba for windows clients in particular) that might like to use your Kerberos realm in the future can do so, you should add your realm information to /etc/krb5.conf like so:
[libdefaults]
default_realm = DANBISHOP.ORG
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
allow_weak_crypto = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DANBISHOP.ORG = {
kdc = neo.danbishop.org
admin_server = neo.danbishop.org
master_kdc = neo.danbishop.org
default_domain = danbishop.org
}
Finally, we can enable kerberos authentication to login to the server.
sudo apt-get install libpam-krb5
sudo pam-auth-update
Check that Kerberos and LDAP are selected as authentication methods to allow users to login/ssh into the server.
[toc]Part 5: NFS
This section will help you configure NFS; using Kerberos to secure it.
The first step is to install the following NFS packages:
sudo apt-get install nfs-kernel-server nfs-common
NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:
sudo mkdir /export
sudo mkdir /export/home
In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:
/home /export/home none bind 0 0
This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:
sudo mount /export/home
Next we're going to tell NFS what it should export by configuring the /etc/exports file like so:
/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes
Then by setting the following options in /etc/default/nfs-kernel-server:
RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=
/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
Next we need to create Kerberos principals for the NFS server.
sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"
sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.
Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:
allow_weak_crypto = true
[toc]Part 6: Account Management
Now you have OpenLDAP and Kerberos up and running, it's time to learn how to manage your users and groups.
Management Scripts Configuration
Firstly, we're going to install some scripts to aid with basic management tasks:
sudo apt-get install ldapscripts
Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:
# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora
# Copyright (C) 2006-2011 Gana�l LAPLANCHE
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.
# LDAP server
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
# Suffixes
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# Authentication type
# If empty, use simple authentication
# Else, use the value as an SASL authentication mechanism
SASLAUTH=""
#SASLAUTH="GSSAPI"
# Simple authentication parameters
# DEBIAN: values from /etc/pam_ldap.conf are used.
# The following BIND* parameters are ignored if SASLAUTH is set
#BINDDN="cn=Manager,dc=example,dc=com"
# The following file contains the raw password of the BINDDN
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
# Group membership management
# ObjectCLass used for groups
# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
GCLASS="posixGroup" # Leave "posixGroup" here if not sure !
# When using groupOfNames or groupOfUniqueNames, creating a group requires an initial
# member. Specify it below, you will be able to remove it once groups are populated.
#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u" # You may use %u for username here
CREATEHOMES="yes" # Create home directories and set rights ?
#HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755" # Default permissions for home directories
# User passwords generation
# Command-line used to generate a password for added users.
# You may use %u for username here ; special value "" will ask for a password interactively
# WARNING !!!! This is evaluated, everything specified here will be run !
# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
# In this case, consider using /dev/urandom instead.
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""
PASSWORDGEN="pwgen"
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
# Where to log
LOGFILE="/var/log/ldapscripts.log"
# Temporary folder
TMPDIR="/tmp"
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which...
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
# Character set conversion : $ICONVCHAR UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
The changes from the default file are highlighted below:
# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# This creates home directories when we create users
CREATEHOMES="yes"
If you've read through the default comments in /etc/ldapscripts/ldapscripts.conf you'll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.
sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret
You might also have noticed that /etc/adduser.conf is used to determine home directory defaults. Ubuntu allows users to view the contents of other user's home directories by default. In some environments, particularly home environments, this is fine, but you might want to change that by editing DIR_MODE=0755 to be DIR_MODE=0700.
Managing Users
Now the LDAP scripts are configured we can start creating users. We're going to use the group name "admin" for administrators as this is the default for Ubuntu and will enable us to give admin rights to users on every machine on the network without any further configuration. However, as this group already exists as a local group, we need to be very careful that we don't lock ourselves out of the server here...
The first thing to do is create a password for our first admin user. As we are using Kerberos for authentication, the administrator needs a principal creating. This is done like so:
sudo kadmin.local -q "addprinc dan"
Now we need some groups to hold our users. The first two groups we will create will be "domainadmins" and "domainusers":
sudo ldapaddgroup domainadmins
sudo ldapaddgroup domainusers
Next we will create a user and assign him to the admins group:
sudo ldapadduser dan domainadmins
And finally add the user to the users group too:
sudo ldapaddusertogroup dan domainusers
You can now login to the server (and later client machines) as this user. If you want the group domainadmins to have sudo access on the server, you need to run the following:
sudo visudo
Scroll down to the following section and append the %domainadmins... line:
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domainadmins ALL=(ALL) ALL
References
http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
[toc]Part 7: Connecting Ubuntu Clients
The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.
I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named "localadmin". We will use this account to configure the client.
First we need to install some packages:
sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common
If you've been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.
If asked to enter your default Kerberos Version 5 realm enter: "DANBISHOP.ORG"
You might then be asked for the address of the kerberos server: "neo.danbishop.org"
The address of the administrative server: "neo.danbishop.org"
The address of your ldap server: "ldap://neo.danbishop.org/"
LDAP server search base: "dc=danbishop,dc=org"
Finally, name services to configure. Make sure you select group, passwd and shadow!
Run
sudo pam-auth-update
And ensure that LDAP and Kerberos are selected.
Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:
sudo nano /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
Now for the home directories...
Although we have configured everything so that clients can get kerberos settings from DNS... kadmin does not fully support this :(
This means we're going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.
Add the following to the [realms] section of /etc/krb5.conf:
[realms]
DANBISHOP.ORG = {
kdc = neo.danbishop.org
admin_server = neo.danbishop.org
master_kdc = neo.danbishop.org
default_domain = danbishop.org
}
Now we're going to create a kerberos principal for NFS on the client like so:
kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"
Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.
Now we need to add the principal that's just been created on the server, to the keytab file on the client:
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"
Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (12.04?) and if you're interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:
allow_weak_crypto = true
Configuring NFS
NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:
# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
# Options for rpc.statd.
# Should rpc.statd listen on a specific port? This is especially useful
# when you have a port-based firewall. To use a fixed port, set this
# this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
# For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes
Note that NEED_IDMAPD and NEED_GSSD have been set to yes.
AutoFS
Now we're going to install and configure autofs to mount home directories on login.
Install the autofs package:
sudo apt-get install autofs
To configure autofs we will edit /etc/auto.master.
sudo nano /etc/auto.master
Here is the sample file provided by Ubuntu:
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
#/net -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master
As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).
Add the following line at the end of /etc/auto.master:
/home /etc/auto.home
This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).
Now we will create the file which countains our automounter map:
sudo nano /etc/auto.home
This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.
* -fstype=nfs4,rw,soft,timeo=5,intr,sec=krb5 neo.danbishop.org:/home/&
This will automount any directory you try to access in /home allowing any user to login :)
All that remains is to restart automount (personally I'd just reboot the machine) by running:
sudo service autofs restart
Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf
sudo nano /etc/nsswitch.conf
By default the file looks like so:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
We want to change passwd, group and shadow to use LDAP first:
passwd: ldap files
group: ldap files
shadow: ldap files
Now restart the client machine and you're done! :D
[toc]Part 8: Connecting Microsoft Windows Clients
To get this working we're going to need to make some changes to the server, installing Samba to act as an Active Directory Primary Domain Controller... thankfully, that's a lot easier than it sounds!
Server Configuration
sudo apt-get install samba libpam-smbpass
That will install Samba and import all of your user accounts for use with Samba. Furthermore, new user accounts will automatically be synchronised with their Samba counterparts.
Let's create a Kerberos principal for the Samba service to use, ssh into the server and run the following:
sudo kadmin.local -q "addprinc -randkey cifs/neo.danbishop.org"
sudo kadmin.local -q "addprinc -randkey cifs/neo"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo.danbishop.org"
sudo kadmin.local -q "ktadd -k /etc/krb5.keytab -e rc4-hmac:normal cifs/neo"
Be sure to include the encryption type when running ktadd. The default encryption type is not compatible with the Samba client utilities. You'll notice both the FQDN and the hostname of the server have been added. I hope to clean this up soon, but at the moment this is the only way I've managed to be sure it will work.
Now we need to configure Samba:
sudo nano /etc/samba/smb.conf
This file contains a comprehensive and well commented list of all of Samba's configuration settings and is well worth reading through, the changes we're particularly interested in are detailed below though:
workgroup = danbishop.org
security = user
realm = DANBISHOP.ORG
kerberos method = system keytab
domain logons = yes
logon path = \\%N\%U\windowsprofile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
Most of the above simply need a # or a ; deleting from the beginning of their line in the config file to enable them.
We also need to enable some shares in the configuration file, these are found towards the end of the file under the title "Share Definitions"
[homes]
comment = Home Directories
browseable = no
read only = no
valid users = %S
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
read only = yes
share modes = no
Now we need to create the netlogon folder and an empty netlogon.cmd (this will be used later to run commands each time a user logs on - perhaps to mount another share, etc.):
sudo mkdir -p /home/samba/netlogon
sudo touch /home/samba/netlogon/logon.cmd
Now we just need to restart Samba to make the changes take effect:
sudo service smbd restart
sudo service nmbd restart
we also need to create a group called "machines" for Samba to use when the add machine script is run. This will happen whenever you join a new Windows machine to your domain.
sudo ldapaddgroup machines
To be able to recognise your Unix admins as Windows admins we need to map the windows admin group to the unix admin group like so:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=domainadmins rid=512 type=d
You also need to give admins who are allowed to add machines to the network explicit rights to do so. The following command gives the user dan the ability to use the add machine script and therefore join windows machines to the domain.
net rpc rights grant -U dan "danbishop.org\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
If you get an authentication error here, check that you have added your realm information to /etc/krb5.conf on the server (in this case neo). See the Kerberos section of this guide for how to do that.
Connecting Windows 7 Clients
Windows 7 requires a registry change to be able to connect to a Samba domain. Download and run this registry entry on the client machine. Once added to the registry, restart the machine (or at least the lanman service).
Now would also be a good time to run the optimisations reg file. These tweaks are NOT necessary, but they do improve login speed.
Then go to Control Panel, System and Security, System and under "Computer name, domain and workgroup settings" click "Change settings". Click the "Change" button on the dialogue that appears and enter "DANBISHOP.ORG" in the domain box. Click ok.
You will then be prompted for the domain administrators details to join the domain, in this case username dan and associated password. It will take sometime to connect to the domain, but eventually you will be shown a dialogue box welcoming you to the DANBISHOP.ORG domain. Restart the computer and you'll be able to login as any of your domain users.
If you get a username/password not recognised error, log the user into a linux machine (or the server itself via ssh) and you should see "Added user ." printed to the terminal. The user can now use the Samba domain.
Pages: 1 2 3 4 5 6 7 8
Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.
sudo ldapaddgroup domainadmins
I get an error: Error adding group domainadmins to LDAP
I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.
The ldapscripts log talks about the credentials not being correct (49).
I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.
Any ideas?
I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.
Regards,
Shane
Dan,
Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’
When I look at the home folder on the server there is no ICEauthority file.
Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command
“sudo ldapaddgroup domainadmins”
i receive an output of “Could not guess current user”
having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.
I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?