Dan Bishop » ubuntu

How to Build an Ubuntu 11.10 SBS (Small Business Server)

Dan Bishop — Sat, 29 Oct 2011 10:23:02 +0000

This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.

Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
# The loopback network interface
auto lo
iface lo inet loopback
 
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network

In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.

So time to edit /etc/resolv.conf:

domain danbishop.org 
search danbishop.org 
nameserver 192.168.0.2
nameserver 8.8.8.8 
nameserver 8.8.4.4

Now it’s time to install Dnsmasq:

sudo apt-get install dnsmasq

Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos

The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:

domain=danbishop.org				#sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h	#sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1		#sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative				#makes this the authoritative (in this case ONLY) DHCP server on the network
 
# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would 
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" 
address=/neo.danbishop.org/192.168.0.2 
 
# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic :D
address=/kerberos.danbishop.org/192.168.0.2 
address=/ldap.danbishop.org/192.168.0.2 
 
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464
 
srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389

It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!

Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:

sudo service dnsmasq restart

References

https://help.ubuntu.com/community/Dnsmasq

Make Windows the Default Operating System in Grub2… even after Ubuntu updates…

Dan Bishop — Thu, 26 May 2011 09:06:58 +0000

Many guides for changing the default operating system for Grub2 to boot involve setting the number indicating where in the list that OS appears… unfortunately, when kernel updates are released for Ubuntu they shift everything down two places and your default OS therefore changes.

Fortunately, it is possible to set the default by name

First we need to obtain the exact name of the OS you wish to boot by running the following command:

fgrep menuentry /boot/grub/grub.cfg

You’ll get something like this:

menuentry 'Ubuntu, with Linux 2.6.38-8-generic' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry 'Ubuntu, with Linux 2.6.38-8-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os {
menuentry "Memory test (memtest86+)" {
menuentry "Memory test (memtest86+, serial console 115200)" {
menuentry "Mac OS X (32-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry "Mac OS X (64-bit) (on /dev/sda2)" --class osx --class darwin --class os {
menuentry “Windows Vista (loader) (on /dev/sda1)” {

Now edit /etc/default/grub:

sudo nano /etc/default/grub

The default file looks like this:

# If you change this file, run 'update-grub' afterwards to update
# /boot/grub/grub.cfg.
# For full documentation of the options in this file, see:
#   info -f grub -n 'Simple configuration'
 
GRUB_DEFAULT=0
#GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=10
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX=""
 
# Uncomment to enable BadRAM filtering, modify to suit your needs
# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
 
# Uncomment to disable graphical terminal (grub-pc only)
#GRUB_TERMINAL=console
 
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
#GRUB_GFXMODE=640x480
 
 
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
#GRUB_DISABLE_LINUX_UUID=true
 
# Uncomment to disable generation of recovery mode menu entries
#GRUB_DISABLE_RECOVERY="true"
 
# Uncomment to get a beep at grub start
#GRUB_INIT_TUNE="480 440 1"

In order to set Windows Vista to be the default (I know, I know… who in their right mind?!… but still…) you need to change the line that reads GRUB_DEFAULT=0 to be like so:

GRUB_DEFAULT=”Windows Vista (loader) (on /dev/sda1)”

Basically copying and pasting everything in quotes (including the quotes!) for the entry you want to be the default.

The final step is to exit and save, then update grub with:

sudo update-grub

How To Generate An SSH Keypair To Allow Password-less Logins

Dan Bishop — Sun, 03 Apr 2011 21:37:36 +0000

It’s quite common to need to use SSH in scripts, particularly for backup purposes. Unfortunately, this would mean storing a password in the script, which would consequently appear in logs etc… A much better plan is to use SSH keypairs. Once you’ve created a passphrase-less keypair and copied it to both machines, you can login without a password.

Firstly SSH into the machine you want to be able to access without a password. In this case, username dan connecting to machine neo.

ssh neo -l dan

Now create the keypair with:

ssh-keygen -t rsa

When asked for a passphrase, simply hit enter for none.

Now quit the ssh session with “exit” and run the following on the machine you want to have password-less access:

ssh-copy-id -i ~/.ssh/id_rsa.pub dan@neo

All done

You can now type “ssh neo” and it will log you straight in without asking for your password!

ASUS Upside Down Webcam in Ubuntu?

Dan Bishop — Sun, 27 Mar 2011 17:40:23 +0000

If you notice your webcam is upside down on skype/flash but fine on everything else, there’s a good chance the following will solve your problem.

Simply run this command in a terminal, followed by the program you want to run. For example for skype:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
skype

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
chromium-browser

Note that the path contains lib32 as both flash and skype are 32bit programs. If you’re actually using a 32bit version of Ubuntu you can modify the path to read: /usr/lib/libv4l/v4l1-compat.so

Update: Name change for 11.04+

If you’re using Ubuntu 11.04 (Natty) or above you need to use the following instead:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
skype

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
chromium-browser

Create Your Own Local Mirror of the Ubuntu Repositories

Dan Bishop — Fri, 11 Mar 2011 11:14:19 +0000

If you have several Ubuntu machines on a network, you might like to mirror the Ubuntu repositories locally so that you’re not wasting bandwidth downloading the same packages from the internet for every single machine. If you’ve already got an Ubuntu server up and running for some other task (such as ldap+kerberos+nfs type server, or a local web server) it’s very easy to add mirroring repository functionality to it. All you need is a spare ten minutes and ~35GB of free space for main, universe and multiverse and ~70GB if you also want the source packages (deb-src).

First step is to install apt-mirror:

sudo apt-get install apt-mirror

Now let’s edit the configuration file for apt-mirror:

sudo nano /etc/apt/mirror.list

The default configuration is as follows:

############# config ##################
#
# set base_path    /var/spool/apt-mirror
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
 
deb http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
deb-src http://archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb-src http://archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
clean http://archive.ubuntu.com/ubuntu

You can add extra repositories to the list, in the same format as the existing ones if you want to mirror these too. You can also change the path where you want the mirrored deb files to be stored. In my case I had a /spare partition set aside for future use and this is just perfect, so I’ve uncommented set base_path and changed /var/… to /spare. You may also like to remove the deb-src entries if you’re low on space unless you frequently use these to rebuild packages.

To specify the architecture that you want to mirror for use deb-i386 or deb-amd64 as the line prefix. You can also insert use a country code to specify that your mirror should be built from a mirror in your own country. This should make both your initial download and subsequent downloads much faster. To do this for the UK for example, use http://gb.archive.ubuntu.com/ubuntu

My final /etc/apt/mirror.list (which requires 52.0 GB of space) is as follows:

############# config ##################
#
set base_path    /spare
#
# set mirror_path  $base_path/mirror
# set skel_path    $base_path/skel
# set var_path     $base_path/var
# set cleanscript $var_path/clean.sh
# set defaultarch  
# set postmirror_script $var_path/postmirror.sh
# set run_postmirror 0
set nthreads     20
set _tilde 0
#
############# end config ##############
 
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-amd64 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
#deb http://gb.archive.ubuntu.com/ubuntu maverick-proposed main restricted universe multiverse
#deb http://gb.archive.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse
 
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick main restricted universe multiverse
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-security main restricted universe multiverse
deb-i386 http://gb.archive.ubuntu.com/ubuntu maverick-updates main restricted universe multiverse
 
 
clean http://gb.archive.ubuntu.com/ubuntu

Having changed the base_directory, I need to create some directories under /spare like so:

sudo mkdir /spare/mirror
sudo mkdir /spare/skel
sudo mkdir /spare/var

Now we can perform our first manual update of the mirror by running the following:

sudo apt-mirror /etc/apt/mirror.list

If you’ve made a mistake with the config file and apt-mirror quits unexpectedly, you might find that the next time you run it you get the following:

apt-mirror is already running, exiting at /usr/bin/apt-mirror line 187.

If this is the case and you’re sure that apt-mirror is not running, then delete the lock file at /spare/var/apt-mirror.lock

Cron

In order to keep the mirror up-to-date automatically, we need to set up a cron job. Apt-mirror installs an example cron job at /etc/cron.d/apt-mirror:

#
# Regular cron jobs for the apt-mirror package
#
# 0 4     * * *   apt-mirror      /usr/bin/apt-mirror > /var/spool/apt-mirror/var/cron.log

If you remove the comment from the front of the last line, this will cause the mirror to be updated every day at 4am. If you want to change this you can read more about how cron jobs work here.

Apache – Configuring your mirror for http access

Ubuntu clients generally access repositories over http, we can set our mirror up for http access using apache2. If you’ve not already installed apache on your server, use:

sudo apt-get install apache2

Now we need to create a symbolic link from our repository mirror, to a directory served by apache:

sudo ln -s /spare/mirror/gb.archive.ubuntu.com/ubuntu/ /var/www/ubuntu

Clients

To get your clients to use the new mirror, simply update /etc/apt/sources.list with the new paths, for example:

# deb cdrom:[Ubuntu 10.10 _Maverick Meerkat_ - Release amd64 (20101007)]/ maverick main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
 
deb http://neo.danbishop.org/ubuntu/ maverick main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick main restricted
 
## Major bug fix updates produced after the final release of the
## distribution.
deb http://neo.danbishop.org/ubuntu/ maverick-updates main restricted
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates main restricted
 
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://neo.danbishop.org/ubuntu/ maverick universe
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick universe
deb http://neo.danbishop.org/ubuntu/ maverick-updates universe
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates universe
 
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu 
## team, and may not be under a free licence. Please satisfy yourself as to 
## your rights to use the software. Also, please note that software in 
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://neo.danbishop.org/ubuntu/ maverick multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse
deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
 
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
# deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
 
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick partner
# deb-src http://archive.canonical.com/ubuntu maverick partner
 
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu maverick main
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick multiverse
deb http://neo.danbishop.org/ubuntu/ maverick-updates multiverse
deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
 
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
# deb-src http://gb.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
 
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick partner
# deb-src http://archive.canonical.com/ubuntu maverick partner
 
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
deb http://extras.ubuntu.com/ubuntu maverick main
deb-src http://extras.ubuntu.com/ubuntu maverick main
 
deb http://security.ubuntu.com/ubuntu maverick-security main restricted
deb-src http://security.ubuntu.com/ubuntu maverick-security main restricted
deb http://security.ubuntu.com/ubuntu maverick-security universe
deb-src http://security.ubuntu.com/ubuntu maverick-security universe
deb http://security.ubuntu.com/ubuntu maverick-security multiverse
#deb http://gb.archive.ubuntu.com/ubuntu/ maverick-proposed restricted main multiverse universe
deb-src http://security.ubuntu.com/ubuntu maverick-security multiverse

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

Dan Bishop — Tue, 15 Feb 2011 22:02:12 +0000

This is part of a guide to setting up an Ubuntu server for a small/medium business. The server will provide DHCP, DNS, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNS

Part 2 – NTP

Part 3 – OpenLDAP

Part 4 – OpenLDAP Account Management

Part 5 – Kerberos

Part 6 – NFS

Part 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select both group and passwd!

Run

sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

[realms]
         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org
         }

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".
 
# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=
 
# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=
 
# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes
 
# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.

AutoFS

Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
#/net   -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.nfs

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.nfs (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.nfs

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

You’re done!

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 6 – NFS

Dan Bishop — Sun, 06 Feb 2011 11:25:21 +0000

Part 1 – DHCP and DNS

Part 2 – NTP

Part 3 – OpenLDAP

Part 4 – OpenLDAP Account Management

Part 5 – Kerberos

Part 6 – NFS

Part 7 – Setting Up Clients

This section will help you configure NFS using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]
 
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org
 
[Mapping]
 
Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create kerberos principals for the NFS server.

kinit dan/admin
kadmin -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 5 – Kerberos

Dan Bishop — Sat, 05 Feb 2011 19:58:20 +0000

Part 1 – DHCP and DNS

Part 2 – NTP

Part 3 – OpenLDAP

Part 4 – OpenLDAP Account Management

Part 5 – Kerberos

Part 6 – NFS

Part 7 – Setting Up Clients

It’s time to install and configure Kerberos.

sudo apt-get install krb5-kdc krb5-admin-server

The packages will automatically configure Kerberos for the correct realm from the information provided by Dnsmasq earlier in this guide. All we have to do is create the database for the realm using the following tool:

sudo krb5_newrealm

You will be asked to enter a master key for Kerberos, make sure you use something secure and memorable.

To configure Kerberos for NFS later, we’ll need to create an admin user.

sudo kadmin.local

The following output should be observed:

Authenticating as principal root/admin@DANBISHOP.ORG with password.
kadmin.local:

Enter the following:

addprinc dan/admin

Enter a password when prompted, then quit:

WARNING: no policy specified for dan/admin@DANBISHOP.ORG; defaulting to no policy
Enter password for principal "dan/admin@DANBISHOP.ORG": 
Re-enter password for principal "dan/admin@DANBISHOP.ORG": 
Principal "dan/admin@DANBISHOP.ORG" created.
kadmin.local: quit

We need to give dan/admin admin privileges by editing the access control list for Kerberos (/etc/krb5kdc/kadm5.acl) this file should contain the following:

# This file Is the access control list for krb5 administration.
# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin  is given full administrative rights.
# To enable this, uncomment the following line:
*/admin *

Note that the last line has been uncommented so that all /admin principals have admin rights. To get Kerberos to use the new ACL we need to restart it:

sudo service krb5-admin-server restart

Now we can test everything has worked with:

kinit dan/admin

Enter the password you set when requested then run klist:

klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dan/admin@DANBISHOP.ORG
 
Valid starting     Expires            Service principal
02/05/11 19:57:24  02/06/11 05:57:24  krbtgt/DANBISHOP.ORG@DANBISHOP.ORG
	renew until 02/06/11 19:57:21

If you get output something like the above then congratulations, you have a fully functioning Kerberos Realm

Now, we’ll configure /etc/krb5.conf on the server so that we can use the admin account in the same way on both the server and clients:

sudo dpkg-reconfigure krb5-config

It will ask what to set the default Kerberos realm to, it should have detected the correct value already so just press enter and you’re done

Finally, we can enable kerberos authentication to login to the server.

sudo apt-get install libpam-krb5
sudo pam-auth-update

Check that Kerberos is selected as an authentication method to allow users to login/ssh into the server.

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 4 – OpenLDAP Account Management

Dan Bishop — Thu, 03 Feb 2011 15:26:06 +0000

Part 1 – DHCP and DNS

Part 2 – NTP

Part 3 – OpenLDAP

Part 4 – OpenLDAP Account Management

Part 5 – Kerberos

Part 6 – NFS

Part 7 – Setting Up Clients

Now you have OpenLDAP up and running, it’s time to learn how to manage your users and groups.

Management Scripts Configuration

Firstly, we’re going to install some scripts to aid with basic management tasks:

sudo apt-get install ldapscripts

Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

#  Copyright (C) 2005 Ganal LAPLANCHE - Linagora
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.
 
 
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
 
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=People"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID
 
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="yes"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
PASSWORDGEN="pwgen -s"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The changes from the default file are highlighted below:

# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
 
# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=People"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)
 
# This creates home directories when we create users
CREATEHOMES="yes"

On Ubuntu 10.04 there is a bug that causes LONG delays when adding new users. This is to do with the random function used when creating the user’s initial password. There is a very easy work around however, simply change the line “PASSWORDGEN=”cat /dev/random | LC_ALL=C tr -dc ‘a-zA-Z0-9′ | head -c8″” so that /dev/random reads /dev/urandom like so: “#PASSWORDGEN=”cat /dev/random | LC_ALL=C tr -dc ‘a-zA-Z0-9′ | head -c8″”. This bug is fixed in 10.10 and as you can see PASSWORDGEN=”pwgen -s” is used instead.

If you’ve read through the default comments in /etc/ldapscripts/ldapscripts.conf you’ll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.

sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret

Managing Users

Now the scripts are configured we can start creating users. The first thing to do is create some groups to hold users. The first two groups we will create will be “admin” and “user”. These will later be configured so that users in the admin group can use sudo. This is done like so:

sudo ldapaddgroup admin
sudo ldapaddgroup user

Next we will create a user and assign him to a group:

sudo ldapadduser dan admin

Set a password for the user:

sudo ldapsetpasswd dan

And finally add the user to the admin group:

sudo ldapaddusertogroup dan admin

LDAP Authentication on the Server

So LDAP now contains at least one user… how do we login to the server as that user? This is actually very easy to configure, it simply requires the installation of two packages:

sudo apt-get install libnss-ldapd libpam-ldapd

During the configuration section of the installation, you will be asked which services you’d like to enable LDAP for, you should select “group” and “passwd”. The packages will then configure /etc/nsswitch.conf, /etc/pam.d/common-auth and /etc/nslcd.conf to work automatically.

To test your new user login, either logout then try to login with the credentials you created above, or of course, start a new ssh session.

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

Dan Bishop — Tue, 01 Feb 2011 23:35:37 +0000

Part 1 – DHCP and DNS

Part 2 – NTP

Part 3 – OpenLDAP

Part 4 – OpenLDAP Account Management

Part 5 – Kerberos

Part 6 – NFS

Part 7 – Setting Up Clients

OpenLDAP is a directory service. Think of it as a database for storing all your users, their passwords and groups. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authorisation, we’ll be using Kerberos for this purpose.

The first step is to install OpenLDAP along with some utilities for administering. We’re also going to load some basic schema (directory layouts) for storing user credentials in:

sudo apt-get install slapd ldap-utils
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

OpenLDAP uses a separate directory to hold the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indices, Access Control Lists, etc without stopping the service. In older versions and configurations, a text based configuration was used, much like that for Dnsmasq above. However, in large scale deployments OpenLDAP can become an absolutely critical service. Restarting it to load a new configuration is simply not an option.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a “classical” scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

To create the backend, we write an LDIF file (backend.danbishop.org.ldif) to be imported by OpenLDAP:

# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
 
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=danbishop,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=danbishop,dc=org
olcRootPW: PASSWORD
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=danbishop,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=danbishop,dc=org" write by * read

Note the line “olcRootPW: PASSWORD”. Substitute PASSWORD with a (secure!) password of your choice!

Now it’s time to add the LDIF file to your directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.danbishop.org.ldif

That’s the boring configuration bit taken care of… now it’s time to create the directories for storing your users and groups. This is done by creating a similar file to the one above frontend.danbishop.org.ldif like so:

# Create top-level object in domain 
dn: dc=danbishop,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: danbishop Organization
dc: danbishop
description: LDAP danbishop
 
dn: ou=people,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: people
 
dn: ou=groups,dc=danbishop,dc=org
objectClass: organizationalUnit
ou: groups

And we add the LDIF in the following way, entering your root LDAP password when prompted (PASSWORD):

sudo ldapadd -x -D cn=admin,dc=danbishop,dc=org -W -f frontend.danbishop.org.ldif

Access Control

Restricting access to sensitive data such as user passwords in the directory is important. The following section describes the configuration of LDAP’s Access Control Lists (ACLs).

Authentication requires access to password field, which will not be accessible by default. Also during password change, shadowLastChange needs to be accessible too. We change these settings using an LDIF again (acls.ldif):

dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="uid=admin,dc=danbishop,dc=org" write by anonymous auth by self write by * none
olcAccess: {1}to dn.subtree="" by * read
olcAccess: {2}to * by dn="uid=admin,dc=danbishop,dc=org" write by * read

We apply these changes with the following command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acls.ldif

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-lucid-part2