How to Build an Ubuntu 11.10 SBS (Small Business Server)

Part 6: Account Management

Now you have OpenLDAP and Kerberos up and running, it’s time to learn how to manage your users and groups.

Management Scripts Configuration

Firstly, we’re going to install some scripts to aid with basic management tasks:

sudo apt-get install ldapscripts

Now we need to edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

#  Copyright (C) 2005 Gana�l LAPLANCHE - Linagora
#  Copyright (C) 2006-2011 Gana�l LAPLANCHE
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.


# LDAP server
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"
# Suffixes
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

# Authentication type
# If empty, use simple authentication
# Else, use the value as an SASL authentication mechanism
SASLAUTH=""
#SASLAUTH="GSSAPI"

# Simple authentication parameters
# DEBIAN: values from /etc/pam_ldap.conf are used.
# The following BIND* parameters are ignored if SASLAUTH is set
#BINDDN="cn=Manager,dc=example,dc=com"
# The following file contains the raw password of the BINDDN
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
#BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"

# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
MIDSTART="20000" # Machine ID

# Group membership management
# ObjectCLass used for groups
# Possible values : posixGroup, groupOfNames, groupOfUniqueNames (case-sensitive !)
# Warning : when using groupOf*, be sure to be compliant with RFC 2307bis (AUXILIARY posixGroup).
# Also, do not mix posixGroup and groupOf* entries up in you directory as, within RFC 2307bis,
# the former is a subset of the latter. The ldapscripts wouldn't cope well with this configuration.
GCLASS="posixGroup"   # Leave "posixGroup" here if not sure !
# When using  groupOfNames or groupOfUniqueNames, creating a group requires an initial
# member. Specify it below, you will be able to remove it once groups are populated.
#GDUMMYMEMBER="uid=dummy,$USUFFIX,$SUFFIX"

# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u"     # You may use %u for username here
CREATEHOMES="yes"      # Create home directories and set rights ?
#HOMESKEL="/etc/skel"  # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
#HOMEPERMS="755"       # Default permissions for home directories

# User passwords generation
# Command-line used to generate a password for added users.
# You may use %u for username here ; special value "" will ask for a password interactively
# WARNING    !!!! This is evaluated, everything specified here will be run !
# WARNING(2) !!!! Some systems (Linux) use a blocking /dev/random (waiting for enough entropy).
#                 In this case, consider using /dev/urandom instead.
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN=""
PASSWORDGEN="pwgen"

# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
RECORDPASSWORDS="no"
PASSWORDFILE="/var/log/ldapscripts_passwd.log"

# Where to log
LOGFILE="/var/log/ldapscripts.log"

# Temporary folder
TMPDIR="/tmp"

# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS

# OpenLDAP client commands
LDAPSEARCHBIN="/usr/bin/ldapsearch"
LDAPADDBIN="/usr/bin/ldapadd"
LDAPDELETEBIN="/usr/bin/ldapdelete"
LDAPMODIFYBIN="/usr/bin/ldapmodify"
LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
LDAPPASSWDBIN="/usr/bin/ldappasswd"

# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"

# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"

# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""

# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The changes from the default file are highlighted below:

# Provides LDAP server's address and the admin username
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=danbishop,dc=org"

# These have all been uncommented, Users changed to People
# and the correct suffix set for our domain
SUFFIX="dc=danbishop,dc=org" # Global suffix
GSUFFIX="ou=Groups"        # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users"         # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines"      # Machines ou (just under $SUFFIX)

# This creates home directories when we create users
CREATEHOMES="yes"

If you’ve read through the default comments in /etc/ldapscripts/ldapscripts.conf you’ll see that it finds the LDAP admin password from a /etc/ldap.secret file. So the following two commands create that file, write our admin password to it (change PASSWORD to your admin password) and then set it to be non-world-readable. This prevents users discovering your LDAP password, but allows root, or processes running as root, to read the file and find the password.

sudo sh -c "echo -n 'PASSWORD' > /etc/ldap.secret"
sudo chmod 400 /etc/ldap.secret

You might also have noticed that /etc/adduser.conf is used to determine home directory defaults. Ubuntu allows users to view the contents of other user’s home directories by default. In some environments, particularly home environments, this is fine, but you might want to change that by editing DIR_MODE=0755 to be DIR_MODE=0700.

Managing Users

Now the LDAP scripts are configured we can start creating users. We’re going to use the group name “admin” for administrators as this is the default for Ubuntu and will enable us to give admin rights to users on every machine on the network without any further configuration. However, as this group already exists as a local group, we need to be very careful that we don’t lock ourselves out of the server here…

The first thing to do is create a password for our first admin user. As we are using Kerberos for authentication, the administrator needs a principal creating. This is done like so:

sudo kadmin.local -q "addprinc dan"

Now we need some groups to hold our users. The first two groups we will create will be “domainadmins” and “domainusers”:

sudo ldapaddgroup domainadmins
sudo ldapaddgroup domainusers

Next we will create a user and assign him to the admins group:

sudo ldapadduser dan domainadmins

And finally add the user to the users group too:

sudo ldapaddusertogroup dan domainusers

You can now login to the server (and later client machines) as this user. If you want the group domainadmins to have sudo access on the server, you need to run the following:

sudo visudo

Scroll down to the following section and append the %domainadmins… line:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%domainadmins ALL=(ALL) ALL

References

http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2

  • shane piper

    Hi Dan, I have been following your blog on setting up an SBS so far so good apart from when I get to the part for adding an ldap group.

    sudo ldapaddgroup domainadmins

    I get an error: Error adding group domainadmins to LDAP

    I have read in a previous blog about the ldap.secret password having to be 1 more than the password length but not having much joy.

    The ldapscripts log talks about the credentials not being correct (49).

    I have installed phpldapadmin as well to see if I can add the groups and users there but it doesn’t add a GID to the group.

    Any ideas?

  • shane piper

    I also added the ldap password to /etc/pam_ldap.secret and fixed the error I had above.

    Regards,

    Shane

  • shane piper

    Dan,

    Sorry to be a pain, but now that I have set up the client machine when I go to login with an ldap user, I get the message ‘Could not update ICEauthority file /home/spiper/.ICEauthority’

    When I look at the home folder on the server there is no ICEauthority file.

  • jim smith

    Dan (or anyone reading this page) , if you could help me on this that would be great… i run the command

    “sudo ldapaddgroup domainadmins”

    i receive an output of “Could not guess current user”

    having a look round it seems the error is related to the $USER variable not being defined. But other than that i have no idea how to debug and fix this.

  • Myself

    I’ve installed LDAP and Kerberos, but how the two work together is a complete puzzle. Can you elaborate a bit on the roles of each one?

  • Daiko Dauda

    Hi Dan

    Thanks for an excellent set of steps described above.
    I do have on query…everything works no problems, but I struggle to add normal users and am I able to create eg – print admin, etc (other like groups) with specific permissions?

    Thanks again

    Daiko

    NB: can add-users but cannot generate passwords am I missing the point here?

    • Dan Bishop

      To generate passwords, you just create a new kerberos principal with the same name as the username… 🙂

  • Dan,

    This is a great idea, but rather than make the same mistake microsoft made with SBS, why not use Linux Containers or KVM and modularize the single physical box design so as to make the system more scalable and easier to migrate to new hardware?

    Even back in my Windows consulting days, I found that installing SBS on top of ESXi often saved clients money in the long term.

    –Sam

    • Dan Bishop

      Hi Sam,

      I am hoping to look at KVM when I get a bit more time. Maybe even making some preconfigured images with a script to modify the configuration for a custom domain… 🙂

      Dan