Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1 – DHCP and DNSPart 2 – NTPPart 3 – OpenLDAPPart 4 – KerberosPart 5 – NFSPart 6 – Account ManagementPart 7 – Setting Up Clients

The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.

I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.

First we need to install some packages:

sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common

If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.

If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”

You might then be asked for the address of the kerberos server: “neo.danbishop.org”

The address of the administrative server: “neo.danbishop.org”

The address of your ldap server: “ldap://neo.danbishop.org/”

LDAP server search base: “dc=danbishop,dc=org”

Finally, name services to configure. Make sure you select group, passwd and shadow!

Run

sudo pam-auth-update

And ensure that LDAP and Kerberos are selected.

Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:

sudo nano /etc/idmapd.conf 
[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

Now for the home directories…

Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this 🙁

This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.

Add the following to the [realms] section of /etc/krb5.conf:

[realms]
         DANBISHOP.ORG = {
             kdc = neo.danbishop.org
             admin_server = neo.danbishop.org
             master_kdc = neo.danbishop.org
             default_domain = danbishop.org
         }

Now we’re going to create a kerberos principal for NFS on the client like so:

kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"

Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.

Now we need to add the principal that’s just been created on the server, to the keytab file on the client:

sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"

Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:

allow_weak_crypto = true

Configuring NFS

NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:

# If you do not set values for the NEED_ options, they will be attempted
# autodetected; this should be sufficient for most people. Valid alternatives
# for the NEED_ options are "yes" and "no".

# Do you want to start the statd daemon? It is not needed for NFSv4.
NEED_STATD=

# Options for rpc.statd.
#   Should rpc.statd listen on a specific port? This is especially useful
#   when you have a port-based firewall. To use a fixed port, set this
#   this variable to a statd argument like: "--port 4000 --outgoing-port 4001".
#   For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS
STATDOPTS=

# Do you want to start the idmapd daemon? It is only needed for NFSv4.
NEED_IDMAPD=yes

# Do you want to start the gssd daemon? It is required for Kerberos mounts.
NEED_GSSD=yes

Note that NEED_IDMAPD and NEED_GSSD have been set to yes.

AutoFS

Now we’re going to install and configure autofs to mount home directories on login.

Install the autofs package:

sudo apt-get install autofs

To configure autofs we will edit /etc/auto.master.

sudo nano /etc/auto.master

Here is the sample file provided by Ubuntu:

#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
#/misc  /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
#       "nosuid" and "nodev" options unless the "suid" and "dev"
#       options are explicitly given.
#
#/net   -hosts
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).

Add the following line at the end of /etc/auto.master:

/home   /etc/auto.home

This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).

Now we will create the file which countains our automounter map:

sudo nano /etc/auto.home

This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.

*   -fstype=nfs4,rw,soft,sec=krb5   neo.danbishop.org:/home/&

This will automount any directory you try to access in /home allowing any user to login 🙂

All that remains is to restart automount (personally I’d just reboot the machine) by running:

sudo service autofs restart

Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf

sudo nano /etc/nsswitch.conf

By default the file looks like so:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

We want to change passwd, group and shadow to use LDAP first:

passwd:         ldap files
group:          ldap files
shadow:         ldap files

Now restart the client machine and you’re done! 😀

  • Javier

    Hello!
    First thank you for this tutorial, it’s very usefull! 😀

    I have made the 6 previous steps without problems but, in this, after create /etc/auto.home the machine dont wake up anymore.

    I have read the log in the server and i get this line:
    nslcd[910]: [901d82] nslcd_passwd_byname(nfs/cliente1.adrosh.com): invalid user name

    Do you know what i’m doing wrong?

    I’m sorry for my bad english level.

  • Javier

    other question, when i do ‘sudo pam-auth-update’ i can’t choice LDAP if i haven’t installed libpam-ldapd before. Is this correct?

    • Dan Bishop

      That’s correct yeh! 🙂

  • Brian

    Dan,

    I successfully build a server/client pair according to your instructions. Thanks again! There are a few lingering client-side issues, though. I wonder if you’ve encountered any of these:

    1) $HOME/.ICEAuthority locking or race condition
    see http://ubuntuforums.org/showthread.php?t=1581739

    2) Terminal lock due to Kerberos ticket expiration
    see http://www.spinics.net/lists/linux-nfs/msg17209.html

    3) Unable to authenticate via Gnome polkit GUI
    see https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/781737

    Any insight that you could provide into any of these issues would be a big help.

    Cheers!

    • Dan Bishop

      These are exactly the three issues I’m trying very hard to solve right now! 🙂

      I’ve made some progress with the Gnome polkit issue… but very limited. As you’ve correctly identified, there is a bug at play here 🙁

      Once I do have the above issues solved, I’ll be sure to update the guide though! Likewise, if you make any progress yourself, please do e-mail me and I’ll be only too happy to incorporate your changes! 😀

      Thanks!

  • chris

    I can not get past the first command, i entered it and stepped away for a moment and one of the smaller kids closed the terminal and now i am stuck can you please help me this is what it is saying:Building dependency tree
    Reading state information… Done
    The following packages will be REMOVED:
    xaw3dg
    0 upgraded, 0 newly installed, 1 to remove and 45 not upgraded.
    E: Could not get lock /var/cache/apt/archives/lock – open (11: Resource temporarily unavailable)
    E: Unable to lock directory /var/cache/apt/archives/
    mamarose@mamarose-Presario-C500-RQ335UA-ABA:~$ sudo apt-get autoremove krb5-user libpam-krb5 libnss-ldapd nfs-common
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package libpam-krb5 is not installed, so not removed
    Package nfs-common is not installed, so not removed
    Package libnss-ldapd is not installed, so not removed
    Package krb5-user is not installed, so not removed
    The following packages will be REMOVED:
    xaw3dg
    0 upgraded, 0 newly installed, 1 to remove and 45 not upgraded.
    E: Could not get lock /var/cache/apt/archives/lock – open (11: Resource temporarily unavailable)
    E: Unable to lock directory /var/cache/apt/archives/
    thank you for any help you can give me

  • Kh. Rashedul Arefin

    Thanks a lot for the tutorial. I have been looking for such thing for a long time. But I need to use windows machine as the client too. Could you please write the steps about the integration of windows machine?

    Thanks and Regards
    Arefin

    • Dan Bishop

      I’m hoping to do this in a few months time. I’m still ironing out a few flaws… 🙂

  • Oliver Johnstone

    I seam to have found a solution to the “$HOME/.ICEAuthority locking or race condition” error.
    To fix it all you need to do is to add “touch .ICEauthority-c” to the .gnomerc file in the
    users home directory. If you want this to be automated for all users you can uncomment the
    HOMESKEL=”/etc/skel” line in the ldapscripts.conf file and add the .gnomerc file in the /etc/skel directory.

    BTW, Thanks for this toutorial its been a huge help.