Dan Bishop » Uncategorized

Using hostapd to add wireless access point capabilities to an Ubuntu server.

Dan Bishop — Sun, 11 Dec 2011 21:37:55 +0000

The first thing to do is find out whether your hardware is capable of running in master mode. The easiest way to check this is like so:

sudo apt-get install iw
iw list

Look through the output to find the Supported Interface Modes section:

...
Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point
...

If, as in the example above, AP mode is listed, then congratulations you have everything you need! If not, all is not lost. Check out this guide to see how to test older hardware for master mode.

HostAPD

We’re going to use the hostapd service to manage our access point, the first thing to do is install, then configure it.

sudo apt-get install hostapd
sudo nano /etc/default/hostapd

This will install hostapd and present you with the default service configuration. We need to modify this file to start hostapd at boot and tell it where we’ll store the config file. Do this by editing the DAEMON_CONF line like so:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Now we need to create a config file at the location above:

sudo nano /etc/hostapd/hostapd.conf

Paste the following into it:

ctrl_interface=/var/run/hostapd
###############################
# Basic Config
###############################
macaddr_acl=0
auth_algs=1
# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211
##########################
# Local configuration...
##########################
interface=wlan0
bridge=br0
hw_mode=g
channel=1
ssid=danlan
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=DONOTFORGETTOCHANGEME
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Most of the options above are fairly self-explantory, however, there are a few things to note. Firstly, “hw_mode=g” should be set as “g” even if you want an 802.11n access point. Furthermore, you need to set a WPA passphrase where indicated.

Bridging the Connections

Your AP is now configured and clients will be able to connect, however, they will not be assigned an IP and they will not be able to access the network on eth0. That’s where bridging comes in. This example assumes that your server has an eth0 connection to the network and wlan0 which is being used as the wireless AP.

First we need to install the bridge utilities:

sudo apt-get install bridge-utils

Edit your /etc/network/interfaces file like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
#auto eth0
#iface eth0 inet static
#       address 192.168.0.2
#       netmask 255.255.255.0
#       network 192.168.0.0
#       broadcast 192.168.0.255
#       gateway 192.168.0.1
 
auto br0
iface br0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        bridge-ports eth0 wlan0

Note that the new br0 interface effectively replaces your existing eth0 interface. If you’ve followed the Ubuntu SBS guide to configure DHCP then you’re done! Your new AP should be up and running after a simple reboot. If not, follow the DHCP Server section of the SBS guide on this site.

How to batch convert PDFs to Jpgs

Dan Bishop — Mon, 28 Nov 2011 11:30:39 +0000

This is mainly for my own future reference, but might be useful to others. First things first, I had to clean up the PDF filenames, some contained spaces, some did not.

rename 'y/ /-/' *

This will replace all spaces with hyphens (-).

Now for the converting process:

for i in `ls *.pdf`; do convert -density 125 "$i" "$i".jpg; done

This will convert all .pdf files in the current directory. It requires imagemagik to be installed (on Ubuntu you will be given instructions on how to do this if it’s not already installed when you run the command).

The option “-density 125″ can be adjusted to produce different sized Jpg files, the higher the number, the higher the resolution and consequently the file size.

How to Install Ubuntu from USB on Macbook Air 4,2 (2011)

Dan Bishop — Fri, 09 Sep 2011 08:12:36 +0000

Create Ubuntu USB Stick

First download an Ubuntu iso from www.ubuntu.com/download

Be sure to get the 64bit+mac desktop version.

The first step is to convert the iso to a dmg using the terminal:

hdiutil convert -format UDRW -o ~/Downloads/ubuntu.dmg ~/Downloads/ubuntu-11.10-desktop-amd64+mac.iso

Run the command “diskutil list” without your usb stick in, then again once the stick has been inserted. The output from the second command should look something like:

dan-macbookair:~ dan$ diskutil  list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *16.0 GB    disk1
   1:             Windows_FAT_32                         16.0 GB    disk1s1

As you can see, disk1 has appeared since the insertion of the USB stick. It is very important you work out which disk your USB stick is in this way, else the next step will cause you to wipe out data on your Macbook Air’s SSD!

Now run:

diskutil unmountDisk /dev/disk1

Substituting disk1 for your USB stick’s disk number.

Next we’re going to write the image to the stick like so:

sudo dd if=~/Downloads/ubuntu.dmg of=/dev/rdisk1 bs=1m

Note that this time we’ve added an r to the front of disk1, this is not essential, but will speed up the process.

Finally, once the above command has executed, run “diskutil eject /dev/disk1″ again replacing disk1 with your own stick’s reference.

Your USB stick has been created, restart your Macbook Air holding the alt key and choose to boot from the stick.

Installation

As soon as you see the purple screen with the white icon at the bottom, hit any key to get the USB stick’s boot menu. Select your language then press F6 and select the nomodeset option. Press ESC to return to the main menu and select “Try Ubuntu without any change to your computer”.

Proceed with the installation as normal, once finished, reboot the machine and hold down alt. Ubuntu will show up as “Windows”, select this option.

After a short pause you will see Grub and a list of boot options, press “e” to edit the default boot options. You will be presented with several strings of text, the penultimate line begins “Linux…” scroll along this line and add “nomodeset” directly before “quiet splash” so that it now reads “… nomodeset quiet splash …”.

Press ctrl+x to boot Ubuntu.

Fixing things…

First things first, install any updates that have come out since 11.10 was released:

sudo apt-get update
sudo apt-get upgrade

Now reboot. Yes, I know, how Windows-like… but we are about to start playing with your kernel and it’s a good idea to be using the new one you’ll have just installed through updates! Don’t forget to use the nomodeset trick from above again (don’t worry… this should be the last time!).

Now we’re going to run the incredible post-install-oneiric.sh script from almostsure.com:

wget http://almostsure.com/mba42/post-install-oneiric.sh
chmod +x post-install-oneiric.sh
./post-install-oneiric.sh

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

Dan Bishop — Sun, 01 May 2011 16:58:25 +0000

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select group, passwd and shadow!

Run

sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

[realms]
         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org
         }

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
 
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
 
# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=
 
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
 
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.

AutoFS

Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
#/net   -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.home

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.home

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,soft,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf

sudo nano /etc/nsswitch.conf

By default the file looks like so:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

We want to change passwd, group and shadow to use LDAP first:

passwd:         ldap files
group:          ldap files
shadow:         ldap files

Now restart the client machine and you’re done!

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 6 – Account Management

Dan Bishop — Sun, 01 May 2011 16:36:33 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

Now you have OpenLDAP and Kerberos up and running, it’s time to learn how to manage your users and groups.

Management Scripts Configuration

Firstly, we’re going to install some scripts to aid with basic management tasks:

sudo apt-get install ldapscripts

Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

#  Copyright (C) 2005 Ganal LAPLANCHE - Linagora
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.
 
 
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
 
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
 
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="yes"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
PASSWORDGEN="pwgen -s"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The changes from the default file are highlighted below:

# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# This creates home directories when we create users
CREATEHOMES="yes"

If you’ve read through the default comments in /etc/ldapscripts/ldapscripts.conf you’ll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.

sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret

You might also have noticed that /etc/adduser.conf is used to determine home directory defaults. Ubuntu allows users to view the contents of other user’s home directories by default. In some environments, particularly home environments, this is fine, but you might want to change that by editing DIR_MODE=0755 to be DIR_MODE=0700.

Managing Users

Now the LDAP scripts are configured we can start creating users. We’re going to use the group name “admin” for administrators as this is the default for Ubuntu and will enable us to give admin rights to users on every machine on the network without any further configuration. However, as this group already exists as a local group, we need to be very careful that we don’t lock ourselves out of the server here…

The first thing to do is create a password for our first admin user. As we are using Kerberos for authentication, the administrator needs a principal creating. This is done like so:

sudo kadmin.local -q "addprinc dan"

Now we need some groups to hold our users. The first two groups we will create will be “admin” and “user”:

sudo ldapaddgroup admin
sudo ldapaddgroup user

Next we will create a user and assign him to a group:

sudo ldapadduser dan 10001

Note the use of group 10001 rather than simply “admin”. This is to avoid any confusion with the local admin group on the server. In some instances, I’ve seen this cause issues. Group 10001 will be the first ldap group you created, you can see the GIDs for all groups by using the command “getent group”.

And finally add the user to the user group:

sudo ldapaddusertogroup dan 10002

You can now login to the server (and later client machines) as this user. The “localadmin” account on the server will no longer be able to use sudo as it doesn’t belong to the ldap “admin” group, only the local one. For subsequent users, you may create the Kerberos principal after creating the LDAP user if you prefer.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 5 – NFS

Dan Bishop — Sun, 01 May 2011 16:09:17 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

This section will help you configure NFS; using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create Kerberos principals for the NFS server.

sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.

Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:

allow_weak_crypto = true

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 4 – Kerberos

Dan Bishop — Sun, 01 May 2011 14:43:07 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

It’s time to install and configure Kerberos.

sudo apt-get install krb5-kdc krb5-admin-server

The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:

sudo krb5_newrealm

There will be a slight delay whilst the server gathers enough random data to continue, then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.

To configure Kerberos for NFS later, we’ll need to create an admin user.

sudo kadmin.local

The following output should be observed:

Authenticating as principal root/admin@DANBISHOP.ORG with password.
kadmin.local:

Enter the following:

addprinc dan/admin

Enter a password when prompted, then quit:

WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy
Enter password for principal "dan/admin@DANBISHOP.ORG": 
Re-enter password for principal "dan/admin@DANBISHOP.ORG": 
Principal "dan/admin@DANBISHOP.ORG" created.
kadmin.local: quit

We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following:

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:

sudo service krb5-admin-server restart

Now we can test everything has worked with:

kinit dan/admin

Enter the password you set when requested then run klist:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan/admin@DANBISHOP.ORG
 
Valid starting     Expires            Service principal
02/05/11 19:57:24  02/06/11 05:57:24  krbtgt/DANBISHOP.ORG@DANBISHOP.ORG
	renew until 02/06/11 19:57:21

If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm

Finally, we can enable kerberos authentication to login to the server.

sudo apt-get install libpam-krb5
sudo pam-auth-update

Check that Kerberos and LDAP are selected as authentication methods to allow users to login/ssh into the server.

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

Dan Bishop — Sun, 01 May 2011 13:51:43 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering it.

sudo apt-get install slapd ldap-utils

You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous release is handled automatically in 11.04. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run “sudo dpkg-reconfigure slapd”. All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups.

This is done by creating a frontend.danbishop.org.ldif file like so:

dn: ou=Users,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Users
 
dn: ou=Groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: Groups

Please note: it is important that you have a new line between “ou:Users” and “dn: ou=Groups,dc=danbishop,dc=org” if you’re copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this!

Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

LDAP Authentication on the Server

LDAP doesn’t actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we’ve setup Kerberos and created our first users we’re ready to go! This is actually very easy to configure, it simply requires the installation of two packages:

sudo apt-get install libnss-ldapd libpam-ldapd

During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you’d like to enable LDAP for, you should select “group”, “passwd” and “shadow”. The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 2 – NTP

Dan Bishop — Sun, 01 May 2011 13:37:04 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

Your server will automatically request the time from the Ubuntu NTP servers on every boot… but hopefully you’re not going to reboot it very often. It is useful for the server time to be correct when debugging and it is ESSENTIAL for the server and all the clients on the network to have the same time (±5mins by default) for Kerberos to work.

Fortunately, this is a very easy thing to configure on Ubuntu. Simply install ntpd with:

sudo apt-get install ntp

As of Ubuntu 11.04, a default pool of NTP servers will be used.

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

However you can change this by editing /etc/ntp.conf

References

https://help.ubuntu.com/10.04/serverguide/C/NTP.html

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 1 – DHCP and DNS

Dan Bishop — Sun, 01 May 2011 13:27:29 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.

Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network

In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.

So time to edit /etc/resolv.conf:

domain danbishop.org 
search danbishop.org 
nameserver 192.168.0.2 
nameserver 8.8.8.8 
nameserver 8.8.4.4

Now it’s time to install Dnsmasq:

sudo apt-get install dnsmasq

Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos

The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:

domain=danbishop.org				#sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h	#sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1		#sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative				#makes this the authoritative (in this case ONLY) DHCP server on the network
 
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would 
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" 
address=/neo.danbishop.org/192.168.0.2 
 
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2 
address=/ldap.danbishop.org/192.168.0.2 
 
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
 
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389

It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!

Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:

sudo service dnsmasq restart

References

https://help.ubuntu.com/community/Dnsmasq