How to Build an Ubuntu 11.10 SBS (Small Business Server)

This guide will help you configure Ubuntu Server Edition 11.10 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Part 1: DHCP and DNS

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on.
Make sure you have disabled DHCP on your router and set a static IP address for the server. This is done by editing /etc/network/interfaces like so:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

It’s time to configure resolv.conf so that your server (and soon clients) can query name servers other than your own. This way, when a client looks up an address outside of danbishop.org (google.co.uk for example) dnsmasq (the software we’ll be using for DHCP and DNS) will query the name servers in resolv.conf. Dnsmasq will then cache the IP for subsequent requests from any client speeding up DNS across your network 🙂

In this case we’re going to use our own DNS server as the primary DNS, followed by Google’s public DNS servers. You can of course substitute Google’s servers for your own ISP’s, or any other DNS server.

So time to edit /etc/resolv.conf:

domain danbishop.org 
search danbishop.org 
nameserver 192.168.0.2
nameserver 8.8.8.8 
nameserver 8.8.4.4

Now it’s time to install Dnsmasq:

sudo apt-get install dnsmasq

Dnsmasq will take care of both DNS and DHCP for your network. We will configure it so that as it allocates IP addresses to clients on the network, it also adds them into its DNS server. This way both forward and reverse lookups will work on any machine, as required by Kerberos 🙂

The configuration file for Dnsmasq (/etc/dnsmasq.conf) is HUGE. However it is VERY well commented making it very easy to play around. The important things for this guide are:

domain=danbishop.org				#sets the domain name you're going to use
dhcp-range=192.168.0.50,192.168.0.150,12h	#sets the range from which to allocate IP addresses to clients and the lease time
dhcp-option=option:router,192.168.0.1		#sets the IP address of the router (gateway address) to be given to clients
dhcp-option=option:ntp-server,192.168.0.2 #sets the NTP server to 192.168.0.2
dhcp-authoritative				#makes this the authoritative (in this case ONLY) DHCP server on the network

# Server DNS settings... this is required as the server itself will
# not be obtaining it's IP address via DHCP and therefore would 
# not be automatically added to the DNS records for forward/reverse
# DNS queries as required by Kerberos
ptr-record=2.0.168.192.in-addr.arpa.,"neo.danbishop.org" 
address=/neo.danbishop.org/192.168.0.2 

# Kerberos and LDAP automatic stuff...
# This maps kerberos.danbishop.org and
# ldap.danbishop.org to the server and also makes all
# dhcp clients aware of the kerberos realm... magic 😀
address=/kerberos.danbishop.org/192.168.0.2 
address=/ldap.danbishop.org/192.168.0.2 
 
txt-record=_kerberos.danbishop.org,"DANBISHOP.ORG"
srv-host=_kerberos._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos._tcp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-master._udp.danbishop.org,"kerberos.danbishop.org",88
srv-host=_kerberos-adm._tcp.danbishop.org,"kerberos.danbishop.org",749
srv-host=_kpasswd._udp.danbishop.org,"kerberos.danbishop.org",464

srv-host=_ldap._tcp.danbishop.org,ldap.danbishop.org,389

It is well worth reading through the entire configuration file though as there is a lot to be learnt from the excellent comments!

Dnsmasq is now configured to act as your network’s DHCP server and clients are told to use your server for DNS queries. Now you’re all set to get DNS and DHCP up and running. Simply restart the service to load the new configuration:

sudo service dnsmasq restart

References

https://help.ubuntu.com/community/Dnsmasq

  • shane piper

    Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.

    sudo ldapaddgroup domainadmins

    I get an error: Error adding group domainadmins to LDAP

    I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.

    The ldapscripts log talks about the credentials not being correct (49).

    I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.

    Any ideas?

  • shane piper

    I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.

    Regards,

    Shane

  • shane piper

    Dan,

    Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’

    When I look at the home folder on the server there is no ICEauthority file.

  • jim smith

    Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command

    “sudo ldapaddgroup domainadmins”

    i receive an output of “Could not guess current user”

    having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.

  • Myself

    I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?

  • Daiko Dauda

    Hi Dan

    Thanks for an excellent set of steps described above.
    I do have on query…everything works no problems, but I struggle to add normal users and am I able to create eg – print admin, etc (other like groups) with specific permissions?

    Thanks again

    Daiko

    NB: can add-users but cannot generate passwords am I missing the point here?

    • Dan Bishop

      To generate passwords, you just create a new kerberos principal with the same name as the username… 🙂

  • Dan,

    This is a great idea, but rather than make the same mistake microsoft made with SBS, why not use Linux Containers or KVM and modularize the single physical box design so as to make the system more scalable and easier to migrate to new hardware?

    Even back in my Windows consulting days, I found that installing SBS on top of ESXi often saved clients money in the long term.

    –Sam

    • Dan Bishop

      Hi Sam,

      I am hoping to look at KVM when I get a bit more time. Maybe even making some preconfigured images with a script to modify the configuration for a custom domain… 🙂

      Dan