Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNSPart 2 – NTPPart 3 – OpenLDAPPart 4 – KerberosPart 5 – NFSPart 6 – Account ManagementPart 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select group, passwd and shadow!


sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf 

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org


Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this 🙁

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS

# Do you want to start the idmapd daemon? It is only needed for NFSv4.

# Do you want to start the gssd daemon? It is required for Kerberos mounts.

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.


Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#/misc  /etc/auto.misc
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#/net   -hosts
# Include central master map if it can be found using
# nsswitch sources.
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.home

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.home

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,soft,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login 🙂

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf

sudo nano /etc/nsswitch.conf

By default the file looks like so:

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

We want to change passwd, group and shadow to use LDAP first:

passwd:         ldap files
group:          ldap files
shadow:         ldap files

Now restart the client machine and you’re done! 😀