This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – Kerberos
Part 5 – NFS
Part 6 – Account Management
Part 7 – Setting Up Clients

It’s time to install and configure Kerberos.

Read More >>

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Part 1 - DHCP and DNS Part 2 - NTP Part 3 - OpenLDAP Part 4 - Kerberos Part 5 - NFS Part 6 - Account Management Part 7 - Setting Up Clients It's time to install and configure Kerberos. sudo apt-get install krb5-kdc krb5-admin-server The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool: sudo krb5_newrealm There will be a slight delay whilst the server gathers enough random data to continue, then you will be asked to enter a master key for Kerberos, make sure you use something secure and memorable. To configure Kerberos for NFS later, we'll need to create an admin user. sudo kadmin.local The following output should be observed: Authenticating as principal root/admin@DANBISHOP.ORG with password. kadmin.local: Enter the following: addprinc dan/admin Enter a password when prompted, then quit: WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy Enter password for principal "dan/admin@DANBISHOP.ORG": Re-enter password for principal "dan/admin@DANBISHOP.ORG": Principal "dan/admin@DANBISHOP.ORG" created. kadmin.local: quit We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following: # This file Is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin * Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it: sudo service krb5-admin-server restart Now we can test everything has worked with: kinit dan/admin Enter the password you set when requested then run klist: klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: dan/admin@DANBISHOP.ORG Valid starting Expires Service principal 02/05/11 19:57:24 02/06/11 05:57:24 krbtgt/DANBISHOP.ORG@DANBISHOP.ORG renew until 02/06/11 19:57:21 If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm :) Finally, we can enable kerberos authentication to login to the server. sudo apt-get install libpam-krb5 sudo pam-auth-update Check that Kerberos and LDAP are selected as authentication methods to allow users to login/ssh into the server.

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – Kerberos
Part 5 – NFS
Part 6 – Account Management
Part 7 – Setting Up Clients

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose.

Read More >>

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Part 1 - DHCP and DNS Part 2 - NTP Part 3 - OpenLDAP Part 4 - Kerberos Part 5 - NFS Part 6 - Account Management Part 7 - Setting Up Clients OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we're going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we'll be using Kerberos for this purpose. The first step is to install OpenLDAP along with some utilities for administering it. sudo apt-get install slapd ldap-utils You will be prompted for an LDAP admin password, once you have set this, much of the manual configuration that had to be done in previous release is handled automatically in 11.04. Ubuntu will configure LDAP using the domain information we supplied in previous steps in this guide. If you do wish to make changes to this though, you can run "sudo dpkg-reconfigure slapd". All that remains to be done is creating a place in the OpenLDAP directory to store our users and our groups. This is done by creating a frontend.danbishop.org.ldif file like so: dn: ou=Users,dc=danbishop,dc=org objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=danbishop,dc=org objectClass: organizationalUnit ou: Groups Please note: it is important that you have a new line between "ou:Users" and "dn: ou=Groups,dc=danbishop,dc=org" if you're copying and pasting the above, it will have a space at the beginning of the blank line, you must remove this! Now we add the LDIF in the following way, entering your root LDAP password when prompted (the one you set during slapd installation): sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif LDAP Authentication on the Server LDAP doesn't actually contain any users or groups yet, but now would be a good time to configure the server to check ldap for login information, so that after we've setup Kerberos and created our first users we're ready to go! This is actually very easy to configure, it simply requires the installation of two packages: sudo apt-get install libnss-ldapd libpam-ldapd During the configuration section of the installation, you will be asked to confirm your LDAP settings and which services you'd like to enable LDAP for, you should select "group", "passwd" and "shadow". The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically. References http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – Kerberos
Part 5 – NFS
Part 6 – Account Management
Part 7 – Setting Up Clients

Your server will automatically request the time from the Ubuntu NTP servers on every boot… but hopefully you’re not going to reboot it very often. It is useful for the server time to be correct when debugging and it is ESSENTIAL for the server and all the clients on the network to have the same time (±5mins by default) for Kerberos to work.

Read More >>

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Part 1 - DHCP and DNS Part 2 - NTP Part 3 - OpenLDAP Part 4 - Kerberos Part 5 - NFS Part 6 - Account Management Part 7 - Setting Up Clients Your server will automatically request the time from the Ubuntu NTP servers on every boot... but hopefully you're not going to reboot it very often. It is useful for the server time to be correct when debugging and it is ESSENTIAL for the server and all the clients on the network to have the same time (±5mins by default) for Kerberos to work. Fortunately, this is a very easy thing to configure on Ubuntu. Simply install ntpd with: sudo apt-get install ntp As of Ubuntu 11.04, a default pool of NTP servers will be used. # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for # more information. server 0.ubuntu.pool.ntp.org server 1.ubuntu.pool.ntp.org server 2.ubuntu.pool.ntp.org server 3.ubuntu.pool.ntp.org However you can change this by editing /etc/ntp.conf References https://help.ubuntu.com/10.04/serverguide/C/NTP.html

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – Kerberos
Part 5 – NFS
Part 6 – Account Management
Part 7 – Setting Up Clients

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.

Read More >>

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Part 1 - DHCP and DNS Part 2 - NTP Part 3 - OpenLDAP Part 4 - Kerberos Part 5 - NFS Part 6 - Account Management Part 7 - Setting Up Clients The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on. Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 It's time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we'll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network :) In this case we're going to use our own DNS server as the primary DNS, followed by Google's public DNS servers. You can of course substitute Google's servers for your own ISP's, or any other DNS server. So time to edit /etc/resolv.conf: domain danbishop.org search danbishop.org nameserver 192.168.0.2 nameserver 8.8.8.8 nameserver 8.8.4.4 Now it's time to install Dnsmasq: sudo apt-get install dnsmasq Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos :) The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are: domain=danbishop.org #sets the domain name you're going to use dhcp-range=192.168.0.50,192.168.0.150,12h #sets the range from which to allocate IP addresses to clients and the lease time dhcp-option=option:router,192.168.0.1 #sets the IP address of the router (gateway address) to be given to clients dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2 dhcp-authoritative #makes this the authoritative (in this case ONLY) DHCP server on the network # Server DNS settings... this is required as the server itself will # not be obtaining it's IP address via DHCP and therefore would # not be automatically added to the DNS records for forward/reverse # DNS queries as required by Kerberos ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" address=/neo.danbishop.org/192.168.0.2 # Kerberos and LDAP automatic stuff... # This maps kerberos.danbishop.org and # ldap.danbishop.org to the server and also makes all # dhcp clients aware of the kerberos realm... magic :D address=/kerberos.danbishop.org/192.168.0.2 address=/ldap.danbishop.org/192.168.0.2 txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG" srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88 srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88 srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88 srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749 srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464 srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389 It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments! Dnsmasq is now configured to act as your network's DHCP server and clients are told to use your server for DNS queries. Now you're all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration: sudo service dnsmasq restart References https://help.ubuntu.com/community/Dnsmasq

THIS SECTION IS A WORK IN PROGRESS! A DESCRIPTION OF WHAT WILL BE ACHIEVED FOLLOWS:

By their very nature, laptops tend to have unreliable network connections. Sometimes they’ll be connected to wifi at work, wired at home, 3G/mobile networks out and about… sometimes no connection at all.

The aim of this part of the guide is to make the laptop function as much like a desktop client as possible, but taking into account the network connection issues.

The first time a user logs in to the laptop, their home directory will be copied to the laptop and their login credentials cached. The home directory will continue to be synchronised in the background whilst the user works, this will avoid the need to resync at logoff causing a long delay at a potentially very inconvenient time for the user.

The next time the user logs into the laptop, their credentials will again be checked against the Kerberos server… but if this is unavailable, the cached credentials will be used. Should a network connection become available once the user has logged in, synchronisation will begin in the background. If not, the sync will simply happen the next time the user does have a network connection.

Synchronisation will be handled by Unison using SSH. Whilst the use of Kerberised SSH is a possibility, it would required the user being prompted for their password when a network connection becomes available post-login so as to obtain a ticket. To avoid this, SSH keys will be used instead.

Changes to the Server

Before we begin, it is necessary to install unison on the server like so:

sudo apt-get install unison

The Laptop

Follow the regular client guide but DO NOT setup AUTOFS – relevant parts will be copy and pasted here soon. Then:

sudo apt-get install auth-client-config nss-updatedb libnss-db libpam-cracklib libpam-ccreds

sudo nano /etc/auth-client-config/profile.d/krb-auth-config

[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth       sufficient   pam_krb5.so
         auth       required     pam_unix.so nullok_secure use_first_pass
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so
            session    optional     pam_exec.so /bin/sh /usr/share/episync/epi-home-prep
 
[krb5ldap.cached]
nss_passwd=passwd: files ldap [NOTFOUND=return] db
nss_group=group: files ldap [NOTFOUND=return] db
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth   required       pam_env.so
         auth   sufficient     pam_unix.so likeauth nullok
         auth   [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
         auth   [default=die success=done] pam_ccreds.so action=validate use_first_pass
         auth   sufficient pam_ccreds.so action=store use_first_pass
         auth   required        pam_deny.so
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so

sudo nss_updatedb ldap
sudo auth-client-config -a -p krb5ldap.cached

sudo mkdir /usr/share/episync
sudo nano /usr/share/episync/epi-home-prep

#!/bin/bash
 
USER=$PAM_USER
USERHOME=/home/$USER
 
PROFILE=$USERHOME/.profile
CONFIGURED_STAMP=~/.episync-configured-do-not-delete
SETUP_SCRIPT=/usr/share/episync/episync-user-setup
 
COMMENT="# Added by episync"
if ! grep -q "$COMMENT" $PROFILE
then
    echo "\n$COMMENT" >> $PROFILE
    # Execute episync setup unless it's already configured
    # echo "[ -f $CONFIGURED_STAMP ] || $SETUP_SCRIPT" >> $PROFILE
    # Always execute the roaming profile sync tool
    echo "/usr/share/episync/episync-sync" >> $PROFILE
fi
 
# Set proper .profile ownership
chown $USER: $PROFILE

 sudo nano /usr/share/episync/episync-sync

 
#!/bin/bash
 
# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
    SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi
 
# Generate key pair if not already done
if ! [ -f ~/.ssh/id_rsa.pub ]
then
    . /usr/share/episync/episync-generate-key
fi
 
# FIXME: This doesn't work, investigate why
IGNORE_LIST="-ignore 'Path .gvfs' -ignore 'Path .local/share/Trash' -ignore 'Regex .*(cache|Cache|te?mp|history|thumbnails).*'"
 
# Sync files with pulsating progress bar
(echo ; unison $HOME ssh://$USER@$SERVER//$HOME -batch) | zenity --title='EpiSync' --progress --auto-close --pulsate --text='Synchronising your files.'

sudo nano /usr/share/episync/episync-generate-key

#!/bin/bash
 
# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
    SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi
 
TEXT="Welcome to EpiSync first login configuration.
 
You are seeing this because you have not logged onto this laptop before. After you close this dialog, you will be asked for your password. It is needed to copy your public key to the server so that your files can be synchronised. You will not have to do this again, just this time."
 
ssh-keygen -f $HOME/.ssh/id_rsa -N ''
 
zenity --text "$TEXT" --info
 
SSH_ASKPASS=ssh-askpass setsid ssh-copy-id $SERVER
 
if [ $? -eq 0 ]
then
    zenity --text "Key copied successfully." --info
else
    zenity --text "Copy public key to $SERVER failed." --error
fi

sudo chmod +x /usr/share/episync/*

THIS SECTION IS A WORK IN PROGRESS! A DESCRIPTION OF WHAT WILL BE ACHIEVED FOLLOWS: By their very nature, laptops tend to have unreliable network connections. Sometimes they'll be connected to wifi at work, wired at home, 3G/mobile networks out and about... sometimes no connection at all. The aim of this part of the guide is to make the laptop function as much like a desktop client as possible, but taking into account the network connection issues. The first time a user logs in to the laptop, their home directory will be copied to the laptop and their login credentials cached. The home directory will continue to be synchronised in the background whilst the user works, this will avoid the need to resync at logoff causing a long delay at a potentially very inconvenient time for the user. The next time the user logs into the laptop, their credentials will again be checked against the Kerberos server... but if this is unavailable, the cached credentials will be used. Should a network connection become available once the user has logged in, synchronisation will begin in the background. If not, the sync will simply happen the next time the user does have a network connection. Synchronisation will be handled by Unison using SSH. Whilst the use of Kerberised SSH is a possibility, it would required the user being prompted for their password when a network connection becomes available post-login so as to obtain a ticket. To avoid this, SSH keys will be used instead. Changes to the Server Before we begin, it is necessary to install unison on the server like so: sudo apt-get install unison The Laptop Follow the regular client guide but DO NOT setup AUTOFS - relevant parts will be copy and pasted here soon. Then: sudo apt-get install auth-client-config nss-updatedb libnss-db libpam-cracklib libpam-ccreds sudo nano /etc/auth-client-config/profile.d/krb-auth-config [krb5ldap] nss_passwd=passwd: files ldap nss_group=group: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: files ldap pam_auth=auth sufficient pam_krb5.so auth required pam_unix.so nullok_secure use_first_pass pam_account=account sufficient pam_krb5.so account required pam_unix.so pam_password=password sufficient pam_krb5.so password required pam_unix.so nullok obscure min=4 max=8 md5 pam_session=session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_krb5.so session optional pam_foreground.so session optional pam_exec.so /bin/sh /usr/share/episync/epi-home-prep [krb5ldap.cached] nss_passwd=passwd: files ldap [NOTFOUND=return] db nss_group=group: files ldap [NOTFOUND=return] db nss_shadow=shadow: files ldap nss_netgroup=netgroup: files ldap pam_auth=auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass auth [default=die success=done] pam_ccreds.so action=validate use_first_pass auth sufficient pam_ccreds.so action=store use_first_pass auth required pam_deny.so pam_account=account sufficient pam_krb5.so account required pam_unix.so pam_password=password sufficient pam_krb5.so password required pam_unix.so nullok obscure min=4 max=8 md5 pam_session=session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_krb5.so session optional pam_foreground.so sudo nss_updatedb ldap sudo auth-client-config -a -p krb5ldap.cached sudo mkdir /usr/share/episync sudo nano /usr/share/episync/epi-home-prep #!/bin/bash USER=$PAM_USER USERHOME=/home/$USER PROFILE=$USERHOME/.profile CONFIGURED_STAMP=~/.episync-configured-do-not-delete SETUP_SCRIPT=/usr/share/episync/episync-user-setup COMMENT="# Added by episync" if ! grep -q "$COMMENT" $PROFILE then echo "\n$COMMENT" >> $PROFILE # Execute episync setup unless it's already configured # echo "[ -f $CONFIGURED_STAMP ] || $SETUP_SCRIPT" >> $PROFILE # Always execute the roaming profile sync tool echo "/usr/share/episync/episync-sync" >> $PROFILE fi # Set proper .profile ownership chown $USER: $PROFILE sudo nano /usr/share/episync/episync-sync #!/bin/bash # If server address is not in the environment, read it if [ -z "$SERVER" ] then SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1` fi # Generate key pair if not already done if ! [ -f ~/.ssh/id_rsa.pub ] then . /usr/share/episync/episync-generate-key fi # FIXME: This doesn't work, investigate why IGNORE_LIST="-ignore 'Path .gvfs' -ignore 'Path .local/share/Trash' -ignore 'Regex .*(cache|Cache|te?mp|history|thumbnails).*'" # Sync files with pulsating progress bar (echo ; unison $HOME ssh://$USER@$SERVER//$HOME -batch) | zenity --title='EpiSync' --progress --auto-close --pulsate --text='Synchronising your files.' sudo nano /usr/share/episync/episync-generate-key #!/bin/bash # If server address is not in the environment, read it if [ -z "$SERVER" ] then SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1` fi TEXT="Welcome to EpiSync first login configuration. You are seeing this because you have not logged onto this laptop before. After you close this dialog, you will be asked for your password. It is needed to copy your public key to the server so that your files can be synchronised. You will not have to do this again, just this time." ssh-keygen -f $HOME/.ssh/id_rsa -N '' zenity --text "$TEXT" --info SSH_ASKPASS=ssh-askpass setsid ssh-copy-id $SERVER if [ $? -eq 0 ] then zenity --text "Key copied successfully." --info else zenity --text "Copy public key to $SERVER failed." --error fi sudo chmod +x /usr/share/episync/*

It’s quite common to need to use SSH in scripts, particularly for backup purposes. Unfortunately, this would mean storing a password in the script, which would consequently appear in logs etc… A much better plan is to use SSH keypairs. Once you’ve created a passphrase-less keypair and copied it to both machines, you can login without a password.

Firstly SSH into the machine you want to be able to access without a password. In this case, username dan connecting to machine neo.

ssh neo -l dan

Now create the keypair with:

ssh-keygen -t rsa

When asked for a passphrase, simply hit enter for none.

Now quit the ssh session with “exit” and run the following on the machine you want to have password-less access:

ssh-copy-id -i ~/.ssh/id_rsa.pub dan@neo

All done

You can now type “ssh neo” and it will log you straight in without asking for your password!

It's quite common to need to use SSH in scripts, particularly for backup purposes. Unfortunately, this would mean storing a password in the script, which would consequently appear in logs etc... A much better plan is to use SSH keypairs. Once you've created a passphrase-less keypair and copied it to both machines, you can login without a password. Firstly SSH into the machine you want to be able to access without a password. In this case, username dan connecting to machine neo. ssh neo -l dan Now create the keypair with: ssh-keygen -t rsa When asked for a passphrase, simply hit enter for none. Now quit the ssh session with "exit" and run the following on the machine you want to have password-less access: ssh-copy-id -i ~/.ssh/id_rsa.pub dan@neo All done :) You can now type "ssh neo" and it will log you straight in without asking for your password! :D

If you notice your webcam is upside down on skype/flash but fine on everything else, there’s a good chance the following will solve your problem.

Simply run this command in a terminal, followed by the program you want to run. For example for skype:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
chromium-browser

Note that the path contains lib32 as both flash and skype are 32bit programs. If you’re actually using a 32bit version of Ubuntu you can modify the path to read: /usr/lib/libv4l/v4l1-compat.so

Update: Name change for 11.04+

If you’re using Ubuntu 11.04 (Natty) or above you need to use the following instead:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
chromium-browser

If you notice your webcam is upside down on skype/flash but fine on everything else, there's a good chance the following will solve your problem. Simply run this command in a terminal, followed by the program you want to run. For example for skype: export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so skype Or export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so chromium-browser Note that the path contains lib32 as both flash and skype are 32bit programs. If you're actually using a 32bit version of Ubuntu you can modify the path to read: /usr/lib/libv4l/v4l1-compat.so Update: Name change for 11.04+ If you're using Ubuntu 11.04 (Natty) or above you need to use the following instead: export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so skype Or export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so chromium-browser

Forgotten the admin password on your Mac? You can reset the welcome system that you usually get immediately after installing OS X (the welcome video followed by the lengthy, intrusive set of forms) to create a new admin account using the following steps:

1. Reboot
2. Hold command + s as soon as you hear the chime
3. You will be presented with a super user prompt, enter the following:

mount -uw /
rm /var/db/.AppleSetupDone
reboot

After rebooting and following the welcome process, you will have a new admin account. Login as the new admin and reset the old admin’s password, you can then log in as the old admin and delete the new admin account.

Forgotten the admin password on your Mac? You can reset the welcome system that you usually get immediately after installing OS X (the welcome video followed by the lengthy, intrusive set of forms) to create a new admin account using the following steps: Reboot Hold command + s as soon as you hear the chime You will be presented with a super user prompt, enter the following: mount -uw / rm /var/db/.AppleSetupDone reboot After rebooting and following the welcome process, you will have a new admin account. Login as the new admin and reset the old admin's password, you can then log in as the old admin and delete the new admin account.

If you have several Ubuntu machines on a network, you might like to mirror the Ubuntu repositories locally so that you’re not wasting bandwidth downloading the same packages from the internet for every single machine. If you’ve already got an Ubuntu server up and running for some other task (such as ldap+kerberos+nfs type server, or a local web server) it’s very easy to add mirroring repository functionality to it. All you need is a spare ten minutes and ~35GB of free space for main, universe and multiverse and ~70GB if you also want the source packages (deb-src).

Read More >>

If you have several Ubuntu machines on a network, you might like to mirror the Ubuntu repositories locally so that you're not wasting bandwidth downloading the same packages from the internet for every single machine. If you've already got an Ubuntu server up and running for some other task (such as ldap+kerberos+nfs type server, or a local web server) it's very easy to add mirroring repository functionality to it. All you need is a spare ten minutes and ~35GB of free space for main, universe and multiverse and ~70GB if you also want the source packages (deb-src). First step is to install apt-mirror: sudo apt-get install apt-mirror Now let's edit the configuration file for apt-mirror: sudo nano /etc/apt/mirror.list The default configuration is as follows: ############# config ################## # # set base_path /var/spool/apt-mirror # # set mirror_path $base_path/mirror # set skel_path $base_path/skel # set var_path $base_path/var # set cleanscript $var_path/clean.sh # set defaultarch # set postmirror_script $var_path/postmirror.sh # set run_postmirror 0 set nthreads 20 set _tilde 0 # ############# end config ############## deb http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse deb http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse #deb http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse #deb http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse deb-src http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse #deb-src http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse #deb-src http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse clean http://archive.ubuntu.com/ubuntu You can add extra repositories to the list, in the same format as the existing ones if you want to mirror these too. You can also change the path where you want the mirrored deb files to be stored. In my case I had a /spare partition set aside for future use and this is just perfect, so I've uncommented set base_path and changed /var/... to /spare. You may also like to remove the deb-src entries if you're low on space unless you frequently use these to rebuild packages. To specify the architecture that you want to mirror for use deb-i386 or deb-amd64 as the line prefix. You can also insert use a country code to specify that your mirror should be built from a mirror in your own country. This should make both your initial download and subsequent downloads much faster. To do this for the UK for example, use http://gb.archive.ubuntu.com/ubuntu My final /etc/apt/mirror.list (which requires 52.0 GB of space) is as follows: ############# config ################## # set base_path /spare # # set mirror_path $base_path/mirror # set skel_path $base_path/skel # set var_path $base_path/var # set cleanscript $var_path/clean.sh # set defaultarch # set postmirror_script $var_path/postmirror.sh # set run_postmirror 0 set nthreads 20 set _tilde 0 # ############# end config ############## deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse #deb http://gb.archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse #deb http://gb.archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse clean http://gb.archive.ubuntu.com/ubuntu Having changed the base_directory, I need to create some directories under /spare like so: sudo mkdir /spare/mirror sudo mkdir /spare/skel sudo mkdir /spare/var Now we can perform our first manual update of the mirror by running the following: sudo apt-mirror /etc/apt/mirror.list If you've made a mistake with the config file and apt-mirror quits unexpectedly, you might find that the next time you run it you get the following: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187. If this is the case and you're sure that apt-mirror is not running, then delete the lock file at /spare/var/apt-mirror.lock Cron In order to keep the mirror up-to-date automatically, we need to set up a cron job. Apt-mirror installs an example cron job at /etc/cron.d/apt-mirror: # # Regular cron jobs for the apt-mirror package # # 0 4 * * * apt-mirror /usr/bin/apt-mirror > /var/spool/apt-mirror/var/cron.log If you remove the comment from the front of the last line, this will cause the mirror to be updated every day at 4am. If you want to change this you can read more about how cron jobs work here. Apache - Configuring your mirror for http access Ubuntu clients generally access repositories over http, we can set our mirror up for http access using apache2. If you've not already installed apache on your server, use: sudo apt-get install apache2 Now we need to create a symbolic link from our repository mirror, to a directory served by apache: sudo ln -s /spare/mirror/gb.archive.ubuntu.com/ubuntu/ /var/www/ubuntu Clients To get your clients to use the new mirror, simply update /etc/apt/sources.list with the new paths, for example: # deb cdrom:[Ubuntu 10.10 _Maverick Meerkat_ - Release amd64 (20101007)]/ maverick main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://neo.danbishop.org/ubuntu/ maverick main restricted deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://neo.danbishop.org/ubuntu/ maverick-updates main restricted deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team. Also, please note that software in universe WILL NOT receive any ## review or updates from the Ubuntu security team. deb http://neo.danbishop.org/ubuntu/ maverick universe deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick universe deb http://neo.danbishop.org/ubuntu/ maverick-updates universe deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://neo.danbishop.org/ubuntu/ maverick multiverse deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse # deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu maverick partner # deb-src http://archive.canonical.com/ubuntu maverick partner ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. deb http://extras.ubuntu.com/ubuntu maverick main deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse # deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. ## This software is not part of Ubuntu, but is offered by Canonical and the ## respective vendors as a service to Ubuntu users. # deb http://archive.canonical.com/ubuntu maverick partner # deb-src http://archive.canonical.com/ubuntu maverick partner ## This software is not part of Ubuntu, but is offered by third-party ## developers who want to ship their latest software. deb http://extras.ubuntu.com/ubuntu maverick main deb-src http://extras.ubuntu.com/ubuntu maverick main deb http://security.ubuntu.com/ubuntu maverick-security main restricted deb-src http://security.ubuntu.com/ubuntu maverick-security main restricted deb http://security.ubuntu.com/ubuntu maverick-security universe deb-src http://security.ubuntu.com/ubuntu maverick-security universe deb http://security.ubuntu.com/ubuntu maverick-security multiverse #deb http://gb.archive.ubuntu.com/ubuntu/ maverick-proposed restricted main multiverse universe deb-src http://security.ubuntu.com/ubuntu maverick-security multiverse

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS
Part 2 – NTP
Part 3 – OpenLDAP
Part 4 – OpenLDAP Account Management
Part 5 – Kerberos
Part 6 – NFS
Part 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

Read More >>

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Part 1 - DHCP and DNS Part 2 - NTP Part 3 - OpenLDAP Part 4 – OpenLDAP Account Management Part 5 – Kerberos Part 6 – NFS Part 7 – Setting Up Clients The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos. I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named "localadmin". We will use this account to configure the client. First we need to install some packages: sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common If you've been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier. If asked to enter your default Kerberos Version 5 realm enter: "DANBISHOP.ORG" You might then be asked for the address of the kerberos server: "neo.danbishop.org" The address of the administrative server: "neo.danbishop.org" The address of your ldap server: "ldap://neo.danbishop.org/" LDAP server search base: "dc=danbishop,dc=org" Finally, name services to configure. Make sure you select both group and passwd! Run sudo pam-auth-update And ensure that LDAP and Kerberos are selected. Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so: sudo nano /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = danbishop.org [Mapping] Nobody-User = nobody Nobody-Group = nogroup Now for the home directories... Although we have configured everything so that clients can get kerberos settings from DNS... kadmin does not fully support this :( This means we're going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier. Add the following to the [realms] section of /etc/krb5.conf: [realms] DANBISHOP.ORG = { kdc = neo.danbishop.org admin_server = neo.danbishop.org master_kdc = neo.danbishop.org default_domain = danbishop.org } Now we're going to create a kerberos principal for NFS on the client like so: kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org" Having specified the admin server in /etc/krb5.conf we can run these command directly from the client. Now we need to add the principal that's just been created on the server, to the keytab file on the client: sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org" Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you're interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf: allow_weak_crypto = true Configuring NFS NFS needs to be configured to use kerberos by editing /etc/default/nfs-common: # If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes Note that NEED_IDMAPD and NEED_GSSD have been set to yes. AutoFS Now we're going to install and configure autofs to mount home directories on login. Install the autofs package: sudo apt-get install autofs To configure autofs we will edit /etc/auto.master. sudo nano /etc/auto.master Here is the sample file provided by Ubuntu: # # Sample auto.master file # This is an automounter map and it has the following format # key [ -mount-options-separated-by-comma ] location # For details of the format look at autofs(5). # #/misc /etc/auto.misc # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # #/net -hosts # # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # +auto.master As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s). Add the following line at the end of /etc/auto.master: /home /etc/auto.nfs This creates a mount point at /home and configures it according to the settings specified in /etc/auto.nfs (which we are about to create). Now we will create the file which countains our automounter map: sudo nano /etc/auto.nfs This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}. * -fstype=nfs4,rw,sec=krb5 neo.danbishop.org:/home/& This will automount any directory you try to access in /home allowing any user to login :) All that remains is to restart automount (personally I'd just reboot the machine) by running: sudo service autofs restart You're done! :D