Dan Bishop

Using hostapd to add wireless access point capabilities to an Ubuntu server.

Dan Bishop — Sun, 11 Dec 2011 21:37:55 +0000

The first thing to do is find out whether your hardware is capable of running in master mode. The easiest way to check this is like so:

sudo apt-get install iw
iw list

Look through the output to find the Supported Interface Modes section:

...
Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point
...

If, as in the example above, AP mode is listed, then congratulations you have everything you need! If not, all is not lost. Check out this guide to see how to test older hardware for master mode.

HostAPD

We’re going to use the hostapd service to manage our access point, the first thing to do is install, then configure it.

sudo apt-get install hostapd
sudo nano /etc/default/hostapd

This will install hostapd and present you with the default service configuration. We need to modify this file to start hostapd at boot and tell it where we’ll store the config file. Do this by editing the DAEMON_CONF line like so:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Now we need to create a config file at the location above:

sudo nano /etc/hostapd/hostapd.conf

Paste the following into it:

ctrl_interface=/var/run/hostapd
###############################
# Basic Config
###############################
macaddr_acl=0
auth_algs=1
# Most modern wireless drivers in the kernel need driver=nl80211
driver=nl80211
##########################
# Local configuration...
##########################
interface=wlan0
bridge=br0
hw_mode=g
channel=1
ssid=danlan
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=DONOTFORGETTOCHANGEME
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Most of the options above are fairly self-explantory, however, there are a few things to note. Firstly, “hw_mode=g” should be set as “g” even if you want an 802.11n access point. Furthermore, you need to set a WPA passphrase where indicated.

Bridging the Connections

Your AP is now configured and clients will be able to connect, however, they will not be assigned an IP and they will not be able to access the network on eth0. That’s where bridging comes in. This example assumes that your server has an eth0 connection to the network and wlan0 which is being used as the wireless AP.

First we need to install the bridge utilities:

sudo apt-get install bridge-utils

Edit your /etc/network/interfaces file like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
#auto eth0
#iface eth0 inet static
#       address 192.168.0.2
#       netmask 255.255.255.0
#       network 192.168.0.0
#       broadcast 192.168.0.255
#       gateway 192.168.0.1
 
auto br0
iface br0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        bridge-ports eth0 wlan0

Note that the new br0 interface effectively replaces your existing eth0 interface. If you’ve followed the Ubuntu SBS guide to configure DHCP then you’re done! Your new AP should be up and running after a simple reboot. If not, follow the DHCP Server section of the SBS guide on this site.

How to batch convert PDFs to Jpgs

Dan Bishop — Mon, 28 Nov 2011 11:30:39 +0000

This is mainly for my own future reference, but might be useful to others. First things first, I had to clean up the PDF filenames, some contained spaces, some did not.

rename 'y/ /-/' *

This will replace all spaces with hyphens (-).

Now for the converting process:

for i in `ls *.pdf`; do convert -density 125 "$i" "$i".jpg; done

This will convert all .pdf files in the current directory. It requires imagemagik to be installed (on Ubuntu you will be given instructions on how to do this if it’s not already installed when you run the command).

The option “-density 125″ can be adjusted to produce different sized Jpg files, the higher the number, the higher the resolution and consequently the file size.

How to Build an Ubuntu 11.10 SBS (Small Business Server)

Dan Bishop — Sat, 29 Oct 2011 10:23:02 +0000

This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.

Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network

In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.

So time to edit /etc/resolv.conf:

domain danbishop.org 
search danbishop.org 
nameserver 192.168.0.2
nameserver 8.8.8.8 
nameserver 8.8.4.4

Now it’s time to install Dnsmasq:

sudo apt-get install dnsmasq

Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos

The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:

domain=danbishop.org				#sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h	#sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1		#sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative				#makes this the authoritative (in this case ONLY) DHCP server on the network
 
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would 
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" 
address=/neo.danbishop.org/192.168.0.2 
 
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2 
address=/ldap.danbishop.org/192.168.0.2 
 
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
 
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389

It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!

Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:

sudo service dnsmasq restart

References

https://help.ubuntu.com/community/Dnsmasq

How to mount SFTP/SSH shares in OS X Lion

Dan Bishop — Sat, 10 Sep 2011 08:52:47 +0000

If you’d like to use an sftp share directly though finder then this guide is for you.

First, you need to install OSXFuse from https://github.com/osxfuse/osxfuse/downloads

At the “Installation Type” stage, be sure to select MacFUSE Compatibility Layer. It’s unticked by default.

Once installed, you need to get Macfusion from http://macfusionapp.org/

Perform the usual drag and drop into your Applications folder then run Macfusion.

Add a new Macfusion share by clicking on the plus icon and selecting SSHFS, enter your details, click ok, then mount. After a few moments your share will be available. You can press cmd+r to show your share in the Finder.

You can now directly edit files on the sftp share using any app on your mac without the need to manually download and re-upload them.

If this process does not work for you, try restarting your mac, then re-adding the Macfusion share.

How to Install Ubuntu from USB on Macbook Air 4,2 (2011)

Dan Bishop — Fri, 09 Sep 2011 08:12:36 +0000

Create Ubuntu USB Stick

First download an Ubuntu iso from www.ubuntu.com/download

Be sure to get the 64bit+mac desktop version.

The first step is to convert the iso to a dmg using the terminal:

hdiutil convert -format UDRW -o ~/Downloads/ubuntu.dmg ~/Downloads/ubuntu-11.10-desktop-amd64+mac.iso

Run the command “diskutil list” without your usb stick in, then again once the stick has been inserted. The output from the second command should look something like:

dan-macbookair:~ dan$ diskutil  list
/dev/disk0
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *121.3 GB   disk0
   1:                        EFI                         209.7 MB   disk0s1
   2:                  Apple_HFS Macintosh HD            120.5 GB   disk0s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3
/dev/disk1
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:     FDisk_partition_scheme                        *16.0 GB    disk1
   1:             Windows_FAT_32                         16.0 GB    disk1s1

As you can see, disk1 has appeared since the insertion of the USB stick. It is very important you work out which disk your USB stick is in this way, else the next step will cause you to wipe out data on your Macbook Air’s SSD!

Now run:

diskutil unmountDisk /dev/disk1

Substituting disk1 for your USB stick’s disk number.

Next we’re going to write the image to the stick like so:

sudo dd if=~/Downloads/ubuntu.dmg of=/dev/rdisk1 bs=1m

Note that this time we’ve added an r to the front of disk1, this is not essential, but will speed up the process.

Finally, once the above command has executed, run “diskutil eject /dev/disk1″ again replacing disk1 with your own stick’s reference.

Your USB stick has been created, restart your Macbook Air holding the alt key and choose to boot from the stick.

Installation

As soon as you see the purple screen with the white icon at the bottom, hit any key to get the USB stick’s boot menu. Select your language then press F6 and select the nomodeset option. Press ESC to return to the main menu and select “Try Ubuntu without any change to your computer”.

Proceed with the installation as normal, once finished, reboot the machine and hold down alt. Ubuntu will show up as “Windows”, select this option.

After a short pause you will see Grub and a list of boot options, press “e” to edit the default boot options. You will be presented with several strings of text, the penultimate line begins “Linux…” scroll along this line and add “nomodeset” directly before “quiet splash” so that it now reads “… nomodeset quiet splash …”.

Press ctrl+x to boot Ubuntu.

Fixing things…

First things first, install any updates that have come out since 11.10 was released:

sudo apt-get update
sudo apt-get upgrade

Now reboot. Yes, I know, how Windows-like… but we are about to start playing with your kernel and it’s a good idea to be using the new one you’ll have just installed through updates! Don’t forget to use the nomodeset trick from above again (don’t worry… this should be the last time!).

Now we’re going to run the incredible post-install-oneiric.sh script from almostsure.com:

wget http://almostsure.com/mba42/post-install-oneiric.sh
chmod +x post-install-oneiric.sh
./post-install-oneiric.sh

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 8 – Connecting Mac OS X Clients to Your Ubuntu Server with Kerberos, LDAP and NFS Home Directories

Dan Bishop — Fri, 27 May 2011 18:18:47 +0000

Sadly, it’s inevitable (until the resolution of bug number 1) that many organisations will use software only available for platforms other than Ubuntu. This section of the guide is going to look at adding Macs to your network.

Changes to the Server

At present, Mac OS X (10.6 and below) does not support NFSv4. There is alpha support, but only when mounting manually, not when using automount. In short, that means we need to make sure our server is capable of using NFSv3 alongside NFSv4.

If you’ve followed the rest of this guide to setup your server, there’s nothing to do here you can skip straight to configuring your mac!

If your /etc/exports file looks something like this:

# /etc/exports: the access control list for filesystems which may be exported
#		to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/export         gss/krb5(rw,fsid=0,async,subtree_check,no_root_squash,crossmnt)
/export/home   gss/krb5(rw,sync,no_subtree_check)

Where the export lines contain gss/krb5(….) then you need to change them. This is a deprecated way of exporting NFS shares, but unfortunately lots of other guides still use it. You need to change the above lines to look like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Note the insecure option. This is required for OS X to be able to connect. It’s not as bad as it sounds though! You’ll still be using Kerberos, so your system will still be secure, it just means that ports above 1024 can be used. See this relevant snippet from “man mount_nfs” on OS X:

resvport
Use a reserved socket port number. This is useful for mounting
servers that require clients to use a reserved port number on the
mistaken belief that this makes NFS more secure. (For the rare
case where the client has a trusted root account but untrustwor-
thy users and the network cables are in secure areas this does
help, but for normal desktop clients this does not apply.)

All that remains to do on the server now, is restart NFS:

sudo service nfs-kernel-server restart

Configuring the Mac

Kerberos

Open the terminal from finder at Applications/Utilities/Terminal and create a /Library/Preferences/edu.mit.Kerberos file as follows:

sudo nano /Library/Preferences/edu.mit.Kerberos

This file will be completely empty so we only need to add basic information like so:

[libdefaults]
	default_realm = DANBISHOP.ORG
	dns_lookup_kdc = true
	forwardable = true
	noaddresses = true
	allow_weak_crypto = true
[realms]
	DANBISHOP.ORG = {
		kdc = neo.danbishop.org
		admin_server = neo.danbishop.org
	}

Remembering of course to change the realm information to math your own!

Now we need to enable Kerberos authentication for login. This is done by modifying the /private/etc/authorization file.

sudo cp -p /private/etc/authorization /private/etc/authorization_orig
sudo pico -w /private/etc/authorization

Press ctrl+W to begin a search, then enter system.login.console

You will get something like this depending on which version of OS X you are using:

...
                system.login.console
                
                        class
                        evaluate-mechanisms
                        comment
                        Login mechanism based rule.  Not for general us$
                        mechanisms
                        
                                builtin:smartcard-sniffer,privilegedloginwindow:login
                                builtin:reset-password,privilegedbuiltin:auto-login,privileged
                                builtin:authenticate,privileged
                                loginwindow:success
                                HomeDirMechanism:login,privilegedHomeDirMechanism:status
                                MCXMechanism:login
                                loginwindow:done
                        
...

For Tiger (Mac OS X 10.4.x), change:
From:

authinternal

To:

builtin:krb5authnoverify,privileged

For Leopard (Mac OS X 10.5.x) or greater, change:

From:

builtin:authenticate,privileged

To:

builtin:krb5authnoverify,privileged

There may be multiple occurrences of ‘authinternal’ or ‘authenticate’ in the /etc/authorization file. Make sure you change the correct one!

Now we’re going to create a kerberos principal for NFS on the Mac and then add it to the Mac’s Kerberos keytab:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-macmini.danbishop.org"
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

LDAP

Now we need to configure OS X so that it knows how to find user details from our Ubuntu LDAP server. To do this we use the directory utility. In OS X Snow Leopard (10.6) this is found by going to System Preferences/Accounts/Login Options then clicking the join button by “Network Account Server:”. On the window that pops up, click “Open Directory Utility”.

Select LDAPv3 from the services list and click the edit icon (the pencil). Click show options and press the “New” button followed by the “Manual” button.

Now it’s time to enter the settings… you can set anything you like as the configuration name. For the server name enter the address of your LDAP server (“neo.danbishop.org” in my case). For LDAP Mappings you must select RFC 2307 (Unix). When you do this you will be prompted to enter the search base. This is your domain in ldap format… e.g. “dc=danbishop,dc=org”.

Leave SSL unticked (unless you know what you’re doing) and click OK.

Now we need to edit the search policy. Click the search policy button at the top of the Directory Utility and change the search dropdown from “Automatic” to “Custom Path”. Click on the + button that appears under the list of Directory Domains. You should see the domain we just setup listed as available. Click add, then apply. We’re done with the Directory Utility now

NFS

Try as I might, I cannot get the OS X automounter to work with this setup Any suggestions would be VERY welcome!

Meanwhile, we can mount the entire /home directory at boot (though Kerberos will prevent unauthorised access!) by going to the Disk Utility (spotlight it if you can’t find it) then selecting File/NFS Mounts…

Click the plus icon and enter the following two settings:

Remote NFS URL: nfs://neo.danbishop.org/export/home
Mount Location: /home

Reboot the Mac and you’re done

You can read about my efforts so far with the automounter below:

NFS and Automounts

PLEASE NOTE: THIS DOES NOT CURRENTLY WORK!

sudo nano /etc/auto_home

#
# Automounter map for /home
#
#+auto_home     # Use directory service

#
# Automounter map for /home
#
#+auto_home     # Use directory service
*   -fstype=nfs,sec=krb5   neo.danbishop.org:/export/home/&

Restart the Mac and you’re good to go!

References

http://clc.its.psu.edu/UnivServices/itadmins/mac/kerbldaplogins
http://krypted.com/mac-os-x-server/nfs-ubuntu-mac-os-x-clients-a-quickie/

Make Windows the Default Operating System in Grub2… even after Ubuntu updates…

Dan Bishop — Thu, 26 May 2011 09:06:58 +0000

Many guides for changing the default operating system for Grub2 to boot involve setting the number indicating where in the list that OS appears… unfortunately, when kernel updates are released for Ubuntu they shift everything down two places and your default OS therefore changes.

Fortunately, it is possible to set the default by name

First we need to obtain the exact name of the OS you wish to boot by running the following command:

fgrep menuentry /boot/grub/grub.cfg

You’ll get something like this:

menuentry 'Ubuntu, with Linux 2.6.38-8-generic' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry 'Ubuntu, with Linux 2.6.38-8-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry "Memory test (memtest86+)" {
menuentry "Memory test (memtest86+, serial console 115200)" {
menuentry "Mac OS X (32-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry "Mac OS X (64-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry “Windows Vista (loader) (on /dev/sda1)” {

Now edit /etc/default/grub:

sudo nano /etc/default/grub

The default file looks like this:

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'
 
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""
 
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
 
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
 
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
 
 
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
 
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
 
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

In order to set Windows Vista to be the default (I know, I know… who in their right mind?!… but still…) you need to change the line that reads GRUB_DEFAULT=0 to be like so:

GRUB_DEFAULT=”Windows Vista (loader) (on /dev/sda1)”

Basically copying and pasting everything in quotes (including the quotes!) for the entry you want to be the default.

The final step is to exit and save, then update grub with:

sudo update-grub

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

Dan Bishop — Sun, 01 May 2011 16:58:25 +0000

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select group, passwd and shadow!

Run

sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

[realms]
         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org
         }

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
 
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
 
# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=
 
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
 
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.

AutoFS

Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
#/net   -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.home

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.home

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,soft,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf

sudo nano /etc/nsswitch.conf

By default the file looks like so:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
 
hosts:          files dns
networks:       files
 
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
 
netgroup:       nis

We want to change passwd, group and shadow to use LDAP first:

passwd:         ldap files
group:          ldap files
shadow:         ldap files

Now restart the client machine and you’re done!

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 6 – Account Management

Dan Bishop — Sun, 01 May 2011 16:36:33 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

Now you have OpenLDAP and Kerberos up and running, it’s time to learn how to manage your users and groups.

Management Scripts Configuration

Firstly, we’re going to install some scripts to aid with basic management tasks:

sudo apt-get install ldapscripts

Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

#  Copyright (C) 2005 Ganal LAPLANCHE - Linagora
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.
 
 
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
 
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
 
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="yes"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
PASSWORDGEN="pwgen -s"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The changes from the default file are highlighted below:

# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# This creates home directories when we create users
CREATEHOMES="yes"

If you’ve read through the default comments in /etc/ldapscripts/ldapscripts.conf you’ll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.

sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret

You might also have noticed that /etc/adduser.conf is used to determine home directory defaults. Ubuntu allows users to view the contents of other user’s home directories by default. In some environments, particularly home environments, this is fine, but you might want to change that by editing DIR_MODE=0755 to be DIR_MODE=0700.

Managing Users

Now the LDAP scripts are configured we can start creating users. We’re going to use the group name “admin” for administrators as this is the default for Ubuntu and will enable us to give admin rights to users on every machine on the network without any further configuration. However, as this group already exists as a local group, we need to be very careful that we don’t lock ourselves out of the server here…

The first thing to do is create a password for our first admin user. As we are using Kerberos for authentication, the administrator needs a principal creating. This is done like so:

sudo kadmin.local -q "addprinc dan"

Now we need some groups to hold our users. The first two groups we will create will be “admin” and “user”:

sudo ldapaddgroup admin
sudo ldapaddgroup user

Next we will create a user and assign him to a group:

sudo ldapadduser dan 10001

Note the use of group 10001 rather than simply “admin”. This is to avoid any confusion with the local admin group on the server. In some instances, I’ve seen this cause issues. Group 10001 will be the first ldap group you created, you can see the GIDs for all groups by using the command “getent group”.

And finally add the user to the user group:

sudo ldapaddusertogroup dan 10002

You can now login to the server (and later client machines) as this user. The “localadmin” account on the server will no longer be able to use sudo as it doesn’t belong to the ldap “admin” group, only the local one. For subsequent users, you may create the Kerberos principal after creating the LDAP user if you prefer.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 5 – NFS

Dan Bishop — Sun, 01 May 2011 16:09:17 +0000

Part 1 – DHCP and DNS

Part 6 – Account Management

Part 7 – Setting Up Clients

This section will help you configure NFS; using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create Kerberos principals for the NFS server.

sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.

Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:

allow_weak_crypto = true