This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.

Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network

In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.

So time to edit /etc/resolv.conf:

domain danbishop.org 
search danbishop.org 
nameserver 192.168.0.2
nameserver 8.8.8.8 
nameserver 8.8.4.4

Now it’s time to install Dnsmasq:

sudo apt-get install dnsmasq

Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos

The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:

domain=danbishop.org				#sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h	#sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1		#sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative				#makes this the authoritative (in this case ONLY) DHCP server on the network
 
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would 
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" 
address=/neo.danbishop.org/192.168.0.2 
 
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2 
address=/ldap.danbishop.org/192.168.0.2 
 
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
 
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389

It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!

Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:

sudo service dnsmasq restart

References

https://help.ubuntu.com/community/Dnsmasq

If you’d like to use an sftp share directly though finder then this guide is for you.

First, you need to install OSXFuse from https://github.com/osxfuse/osxfuse/downloads

At the “Installation Type” stage, be sure to select MacFUSE Compatibility Layer. It’s unticked by default.

Once installed, you need to get Macfusion from http://macfusionapp.org/

Perform the usual drag and drop into your Applications folder then run Macfusion.

Add a new Macfusion share by clicking on the plus icon and selecting SSHFS, enter your details, click ok, then mount. After a few moments your share will be available. You can press cmd+r to show your share in the Finder.

You can now directly edit files on the sftp share using any app on your mac without the need to manually download and re-upload them.

If this process does not work for you, try restarting your mac, then re-adding the Macfusion share.

Sadly, it’s inevitable (until the resolution of bug number 1) that many organisations will use software only available for platforms other than Ubuntu. This section of the guide is going to look at adding Macs to your network.

Changes to the Server

At present, Mac OS X (10.6 and below) does not support NFSv4. There is alpha support, but only when mounting manually, not when using automount. In short, that means we need to make sure our server is capable of using NFSv3 alongside NFSv4.

If you’ve followed the rest of this guide to setup your server, there’s nothing to do here you can skip straight to configuring your mac!

If your /etc/exports file looks something like this:

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         gss/krb5(rw,fsid=0,async,subtree_check,no_root_squash,crossmnt)
/export/home   gss/krb5(rw,sync,no_subtree_check)

Where the export lines contain gss/krb5(….) then you need to change them. This is a deprecated way of exporting NFS shares, but unfortunately lots of other guides still use it. You need to change the above lines to look like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Note the insecure option. This is required for OS X to be able to connect. It’s not as bad as it sounds though! You’ll still be using Kerberos, so your system will still be secure, it just means that ports above 1024 can be used. See this relevant snippet from “man mount_nfs” on OS X:

resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)

All that remains to do on the server now, is restart NFS:

sudo service nfs-kernel-server restart

Configuring the Mac

Kerberos

Open the terminal from finder at Applications/Utilities/Terminal and create a /Library/Preferences/edu.mit.Kerberos file as follows:

sudo nano /Library/Preferences/edu.mit.Kerberos

This file will be completely empty so we only need to add basic information like so:

[libdefaults]
	default_realm = DANBISHOP.ORG
	dns_lookup_kdc = true
	forwardable = true
	noaddresses = true
	allow_weak_crypto = true
[realms]
	DANBISHOP.ORG = {
		kdc = neo.danbishop.org
		admin_server = neo.danbishop.org
	}

Remembering of course to change the realm information to math your own!

Now we need to enable Kerberos authentication for login. This is done by modifying the /private/etc/authorization file.

sudo cp -p /private/etc/authorization /private/etc/authorization_orig
sudo pico -w /private/etc/authorization

Press ctrl+W to begin a search, then enter system.login.console

You will get something like this depending on which version of OS X you are using:

...
                <key>system.login.console</key>
                <dict>
                        <key>class</key>
                        <string>evaluate-mechanisms</string>
                        <key>comment</key>
                        <string>Login mechanism based rule.  Not for general us$
                        <key>mechanisms</key>
                        <array>
                                <string>builtin:smartcard-sniffer,privileged</s$
                                <string>loginwindow:login</string>
                                <string>builtin:reset-password,privileged</stri$
                                <string>builtin:auto-login,privileged</string>
                                <string>builtin:authenticate,privileged</string>
                                <string>loginwindow:success</string>
                                <string>HomeDirMechanism:login,privileged</stri$
                                <string>HomeDirMechanism:status</string>
                                <string>MCXMechanism:login</string>
                                <string>loginwindow:done</string>
                        </array>
...

For Tiger (Mac OS X 10.4.x), change:
From:

<string>authinternal</string>

To:

<string>builtin:krb5authnoverify,privileged</string>

For Leopard (Mac OS X 10.5.x) or greater, change:

From:

<string>builtin:authenticate,privileged</string>

To:

<string>builtin:krb5authnoverify,privileged</string>

There may be multiple occurrences of ‘authinternal’ or ‘authenticate’ in the /etc/authorization file. Make sure you change the correct one!

Now we’re going to create a kerberos principal for NFS on the Mac and then add it to the Mac’s Kerberos keytab:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-macmini.danbishop.org"
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

LDAP

Now we need to configure OS X so that it knows how to find user details from our Ubuntu LDAP server. To do this we use the directory utility. In OS X Snow Leopard (10.6) this is found by going to System Preferences/Accounts/Login Options then clicking the join button by “Network Account Server:”. On the window that pops up, click “Open Directory Utility”.

Select LDAPv3 from the services list and click the edit icon (the pencil). Click show options and press the “New” button followed by the “Manual” button.

Now it’s time to enter the settings… you can set anything you like as the configuration name. For the server name enter the address of your LDAP server (“neo.danbishop.org” in my case). For LDAP Mappings you must select RFC 2307 (Unix). When you do this you will be prompted to enter the search base. This is your domain in ldap format… e.g. “dc=danbishop,dc=org”.

Leave SSL unticked (unless you know what you’re doing) and click OK.

Now we need to edit the search policy. Click the search policy button at the top of the Directory Utility and change the search dropdown from “Automatic” to “Custom Path”. Click on the + button that appears under the list of Directory Domains. You should see the domain we just setup listed as available. Click add, then apply. We’re done with the Directory Utility now

NFS

Try as I might, I cannot get the OS X automounter to work with this setup Any suggestions would be VERY welcome!

Meanwhile, we can mount the entire /home directory at boot (though Kerberos will prevent unauthorised access!) by going to the Disk Utility (spotlight it if you can’t find it) then selecting File/NFS Mounts…

Click the plus icon and enter the following two settings:

Remote NFS URL: nfs://neo.danbishop.org/export/home
Mount Location: /home

Reboot the Mac and you’re done

You can read about my efforts so far with the automounter below:

NFS and Automounts

PLEASE NOTE: THIS DOES NOT CURRENTLY WORK!

sudo nano /etc/auto_home

#
# Automounter map for /home
#
#+auto_home     # Use directory service

#
# Automounter map for /home
#
#+auto_home     # Use directory service
*   -fstype=nfs,sec=krb5   neo.danbishop.org:/export/home/&

Restart the Mac and you’re good to go!

References

http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins
http://krypted.com/mac-os-x-server/nfs-ubuntu-mac-os-x-clients-a-quickie/

Many guides for changing the default operating system for Grub2 to boot involve setting the number indicating where in the list that OS appears… unfortunately, when kernel updates are released for Ubuntu they shift everything down two places and your default OS therefore changes.

Fortunately, it is possible to set the default by name

First we need to obtain the exact name of the OS you wish to boot by running the following command:

fgrep menuentry /boot/grub/grub.cfg

You’ll get something like this:

menuentry 'Ubuntu, with Linux 2.6.38-8-generic' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry 'Ubuntu, with Linux 2.6.38-8-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry "Memory test (memtest86+)" {
menuentry "Memory test (memtest86+, serial console 115200)" {
menuentry "Mac OS X (32-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry "Mac OS X (64-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry “Windows Vista (loader) (on /dev/sda1)” {

Now edit /etc/default/grub:

sudo nano /etc/default/grub

The default file looks like this:

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'
 
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""
 
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
 
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
 
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
 
 
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
 
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
 
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

In order to set Windows Vista to be the default (I know, I know… who in their right mind?!… but still…) you need to change the line that reads GRUB_DEFAULT=0 to be like so:

GRUB_DEFAULT=”Windows Vista (loader) (on /dev/sda1)”

Basically copying and pasting everything in quotes (including the quotes!) for the entry you want to be the default.

The final step is to exit and save, then update grub with:

sudo update-grub

It’s quite common to need to use SSH in scripts, particularly for backup purposes. Unfortunately, this would mean storing a password in the script, which would consequently appear in logs etc… A much better plan is to use SSH keypairs. Once you’ve created a passphrase-less keypair and copied it to both machines, you can login without a password.

Firstly SSH into the machine you want to be able to access without a password. In this case, username dan connecting to machine neo.

ssh neo -l dan

Now create the keypair with:

ssh-keygen -t rsa

When asked for a passphrase, simply hit enter for none.

Now quit the ssh session with “exit” and run the following on the machine you want to have password-less access:

ssh-copy-id -i ~/.ssh/id_rsa.pub dan@neo

All done

You can now type “ssh neo” and it will log you straight in without asking for your password!

If you notice your webcam is upside down on skype/flash but fine on everything else, there’s a good chance the following will solve your problem.

Simply run this command in a terminal, followed by the program you want to run. For example for skype:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
chromium-browser

Note that the path contains lib32 as both flash and skype are 32bit programs. If you’re actually using a 32bit version of Ubuntu you can modify the path to read: /usr/lib/libv4l/v4l1-compat.so

Update: Name change for 11.04+

If you’re using Ubuntu 11.04 (Natty) or above you need to use the following instead:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
chromium-browser

Forgotten the admin password on your Mac? You can reset the welcome system that you usually get immediately after installing OS X (the welcome video followed by the lengthy, intrusive set of forms) to create a new admin account using the following steps:

1. Reboot
2. Hold command + s as soon as you hear the chime
3. You will be presented with a super user prompt, enter the following:

mount -uw /
rm /var/db/.AppleSetupDone
reboot

After rebooting and following the welcome process, you will have a new admin account. Login as the new admin and reset the old admin’s password, you can then log in as the old admin and delete the new admin account.

If you have several Ubuntu machines on a network, you might like to mirror the Ubuntu repositories locally so that you’re not wasting bandwidth downloading the same packages from the internet for every single machine. If you’ve already got an Ubuntu server up and running for some other task (such as ldap+kerberos+nfs type server, or a local web server) it’s very easy to add mirroring repository functionality to it. All you need is a spare ten minutes and ~35GB of free space for main, universe and multiverse and ~70GB if you also want the source packages (deb-src).

First step is to install apt-mirror:

sudo apt-get install apt-mirror

Now let’s edit the configuration file for apt-mirror:

sudo nano /etc/apt/mirror.list

The default configuration is as follows:

############# config ##################
#
# set base_path    /var/spool/apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
 
deb http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
deb-src http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
clean http://archive.ubuntu.com/ubuntu

You can add extra repositories to the list, in the same format as the existing ones if you want to mirror these too. You can also change the path where you want the mirrored deb files to be stored. In my case I had a /spare partition set aside for future use and this is just perfect, so I’ve uncommented set base_path and changed /var/… to /spare. You may also like to remove the deb-src entries if you’re low on space unless you frequently use these to rebuild packages.

To specify the architecture that you want to mirror for use deb-i386 or deb-amd64 as the line prefix. You can also insert use a country code to specify that your mirror should be built from a mirror in your own country. This should make both your initial download and subsequent downloads much faster. To do this for the UK for example, use http://gb.archive.ubuntu.com/ubuntu

My final /etc/apt/mirror.list (which requires 52.0 GB of space) is as follows:

############# config ##################
#
set base_path    /spare
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  <running host architecture>
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
 
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb http://gb.archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb http://gb.archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
 
 
clean http://gb.archive.ubuntu.com/ubuntu

Having changed the base_directory, I need to create some directories under /spare like so:

sudo mkdir /spare/mirror
sudo mkdir /spare/skel
sudo mkdir /spare/var

Now we can perform our first manual update of the mirror by running the following:

sudo apt-mirror /etc/apt/mirror.list

If you’ve made a mistake with the config file and apt-mirror quits unexpectedly, you might find that the next time you run it you get the following:

apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187.

If this is the case and you’re sure that apt-mirror is not running, then delete the lock file at /spare/var/apt-mirror.lock

Cron

In order to keep the mirror up-to-date automatically, we need to set up a cron job. Apt-mirror installs an example cron job at /etc/cron.d/apt-mirror:

#
# Regular cron jobs for the apt-mirror package
#
# 0 4     * * *   apt-mirror      /usr/bin/apt-mirror > /var/spool/apt-mirror/var/cron.log

If you remove the comment from the front of the last line, this will cause the mirror to be updated every day at 4am. If you want to change this you can read more about how cron jobs work here.

Apache – Configuring your mirror for http access

Ubuntu clients generally access repositories over http, we can set our mirror up for http access using apache2. If you’ve not already installed apache on your server, use:

sudo apt-get install apache2

Now we need to create a symbolic link from our repository mirror, to a directory served by apache:

sudo ln -s /spare/mirror/gb.archive.ubuntu.com/ubuntu/ /var/www/ubuntu

Clients

To get your clients to use the new mirror, simply update /etc/apt/sources.list with the new paths, for example:

# deb cdrom:[Ubuntu 10.10 _Maverick Meerkat_ - Release amd64 (20101007)]/ maverick main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
 
deb http://neo.danbishop.org/ubuntu/ maverick main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick main restricted
 
## Major bug fix updates produced after the final release of the
## distribution.
deb http://neo.danbishop.org/ubuntu/ maverick-updates main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates main restricted
 
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://neo.danbishop.org/ubuntu/ maverick universe
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick universe
deb http://neo.danbishop.org/ubuntu/ maverick-updates universe
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates universe
 
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
## team, and may not be under a free licence. Please satisfy yourself as to 
## your rights to use the software. Also, please note that software in 
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://neo.danbishop.org/ubuntu/ maverick multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse
deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
 
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
# deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
 
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick partner
# deb-src http://archive.canonical.com/ubuntu maverick partner
 
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu maverick main
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse
deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
 
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
# deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
 
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick partner
# deb-src http://archive.canonical.com/ubuntu maverick partner
 
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu maverick main
deb-src http://extras.ubuntu.com/ubuntu maverick main
 
deb http://security.ubuntu.com/ubuntu maverick-security main restricted
deb-src http://security.ubuntu.com/ubuntu maverick-security main restricted
deb http://security.ubuntu.com/ubuntu maverick-security universe
deb-src http://security.ubuntu.com/ubuntu maverick-security universe
deb http://security.ubuntu.com/ubuntu maverick-security multiverse
#deb http://gb.archive.ubuntu.com/ubuntu/ maverick-proposed restricted main multiverse universe
deb-src http://security.ubuntu.com/ubuntu maverick-security multiverse

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – OpenLDAP Account Management
Part 5 – Kerberos
Part 6 – NFS
Part 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select both group and passwd!

Run

sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

[realms]
         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org
         }

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
 
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
 
# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=
 
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
 
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.

AutoFS

Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
#/net   -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.nfs

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.nfs (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.nfs

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

You’re done!

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – OpenLDAP Account Management
Part 5 – Kerberos
Part 6 – NFS
Part 7 – Setting Up Clients

This section will help you configure NFS using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create kerberos principals for the NFS server.

kinit dan/admin
kadmin -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.