How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 5: NFS

This section will help you configure NFS; using Kerberos to secure it.

The first step is to install the following NFS packages:

sudo apt-get install nfs-kernel-server nfs-common

NFSv4 uses a pseudo filesystem by mounting the real directories you want to export under an export folder using the -bind mount option. We need to create this folder system as follows:

sudo mkdir /export
sudo mkdir /export/home

In order to mount /home under /export/home each time the system boots, we need to modify /etc/fstab by adding the following line to the bottom of the file:

/home    /export/home   none    bind  0  0

This will take care of mounting the directories next time he server reboots, but for now we can manually mount it using:

sudo mount /export/home

Next we’re going to tell NFS what it should export by configuring the /etc/exports file like so:

/export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)
/export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5)

Now we have to tell NFS to use Kerberos first by setting the following options in /etc/default/nfs-common:

NEED_STATD=
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Then by setting the following options in /etc/default/nfs-kernel-server:

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS=--manage-gids
NEED_SVCGSSD=yes
RPCSVCGSSDOPTS=

/etc/idmapd.conf needs to configured with the correct domain name for user/group name mappings:

[General]

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = danbishop.org

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

Next we need to create Kerberos principals for the NFS server.

sudo kadmin.local -q "addprinc -randkey nfs/neo.danbishop.org"
sudo kadmin.local -q "ktadd nfs/neo.danbishop.org"

sudo kadmin.local is used here as you need sudo privileges to write to /etc/krb5.keytab.

Finally, a small change is needed to enable weak encryption (the only type currently supported by NFS in Ubuntu) in Kerberos. This is done by editing /etc/krb5.conf and adding the following to the [libdefaults] section:

allow_weak_crypto = true
Pages: Page 1, Page 2, Page 3, Page 4, Page 5, Page 6, Page 7, Page 8
  • shane piper

    Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.

    sudo ldapaddgroup domainadmins

    I get an error: Error adding group domainadmins to LDAP

    I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.

    The ldapscripts log talks about the credentials not being correct (49).

    I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.

    Any ideas?

  • shane piper

    I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.

    Regards,

    Shane

  • shane piper

    Dan,

    Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’

    When I look at the home folder on the server there is no ICEauthority file.

  • jim smith

    Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command

    “sudo ldapaddgroup domainadmins”

    i receive an output of “Could not guess current user”

    having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.

  • Myself

    I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?

  • Daiko Dauda

    Hi Dan

    Thanks for an excellent set of steps described above.
    I do have on query…everything works no problems, but I struggle to add normal users and am I able to create eg – print admin, etc (other like groups) with specific permissions?

    Thanks again

    Daiko

    NB: can add-users but cannot generate passwords am I missing the point here?

    • Dan Bishop

      To generate passwords, you just create a new kerberos principal with the same name as the username… 🙂

  • Dan,

    This is a great idea, but rather than make the same mistake microsoft made with SBS, why not use Linux Containers or KVM and modularize the single physical box design so as to make the system more scalable and easier to migrate to new hardware?

    Even back in my Windows consulting days, I found that installing SBS on top of ESXi often saved clients money in the long term.

    –Sam

    • Dan Bishop

      Hi Sam,

      I am hoping to look at KVM when I get a bit more time. Maybe even making some preconfigured images with a script to modify the configuration for a custom domain… 🙂

      Dan