Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 7 – Setting Up Clients

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 6 – Account Management

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Now you have OpenLDAP and Kerberos up and running, it’s time to learn how to manage your users and groups. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 6 – Account Management

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 5 – NFS

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

This section will help you configure NFS; using Kerberos to secure it. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 5 – NFS

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 4 – Kerberos

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

It’s time to install and configure Kerberos. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 4 – Kerberos

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

OpenLDAP is a directory service. Think of it as a database for storing all your users, their groups and other information. In time you can use it to store much more, but initially we’re going to use it as a centralised authorisation system. Clients will check usernames and permissions against those stored in the directory on the server. Though it is also possible to store passwords in LDAP and use it for authentication, we’ll be using Kerberos for this purpose. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 3 – OpenLDAP

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 2 – NTP

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

Your server will automatically request the time from the Ubuntu NTP servers on every boot… but hopefully you’re not going to reboot it very often. It is useful for the server time to be correct when debugging and it is ESSENTIAL for the server and all the clients on the network to have the same time (±5mins by default) for Kerberos to work. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 2 – NTP

Ubuntu 11.04 SBS (Small Business Server) Setup: Part 1 – DHCP and DNS

This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.

The first thing to get your server to do is act as a DHCP and DNS server. This will allow you to map hostnames to IP addresses (and vice versa!) automatically. This means all network clients will know that neo.danbishop.org and 192.168.0.2 are one and the same. This is ESSENTIAL if you plan to use Kerberos later on. Continue reading Ubuntu 11.04 SBS (Small Business Server) Setup: Part 1 – DHCP and DNS

Ubuntu 10.10 SBS (Small Business Server) Setup: Part 9 – Connecting Portable Clients (Laptops) to Your Ubuntu Server with Kerberos, LDAP and Synchronised Home Directories

THIS SECTION IS A WORK IN PROGRESS! A DESCRIPTION OF WHAT WILL BE ACHIEVED FOLLOWS:

By their very nature, laptops tend to have unreliable network connections. Sometimes they’ll be connected to wifi at work, wired at home, 3G/mobile networks out and about… sometimes no connection at all.

The aim of this part of the guide is to make the laptop function as much like a desktop client as possible, but taking into account the network connection issues.

The first time a user logs in to the laptop, their home directory will be copied to the laptop and their login credentials cached. The home directory will continue to be synchronised in the background whilst the user works, this will avoid the need to resync at logoff causing a long delay at a potentially very inconvenient time for the user.

The next time the user logs into the laptop, their credentials will again be checked against the Kerberos server… but if this is unavailable, the cached credentials will be used. Should a network connection become available once the user has logged in, synchronisation will begin in the background. If not, the sync will simply happen the next time the user does have a network connection.

Synchronisation will be handled by Unison using SSH. Whilst the use of Kerberised SSH is a possibility, it would required the user being prompted for their password when a network connection becomes available post-login so as to obtain a ticket. To avoid this, SSH keys will be used instead.

Changes to the Server

Before we begin, it is necessary to install unison on the server like so:

sudo apt-get install unison

The Laptop

Follow the regular client guide but DO NOT setup AUTOFS – relevant parts will be copy and pasted here soon. Then:

sudo apt-get install auth-client-config nss-updatedb libnss-db libpam-cracklib libpam-ccreds
sudo nano /etc/auth-client-config/profile.d/krb-auth-config
[krb5ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth       sufficient   pam_krb5.so
         auth       required     pam_unix.so nullok_secure use_first_pass
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so
            session    optional     pam_exec.so /bin/sh /usr/share/episync/epi-home-prep

[krb5ldap.cached]
nss_passwd=passwd: files ldap [NOTFOUND=return] db
nss_group=group: files ldap [NOTFOUND=return] db
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files ldap
pam_auth=auth   required       pam_env.so
         auth   sufficient     pam_unix.so likeauth nullok
         auth   [default=ignore success=1 service_err=reset] pam_krb5.so use_first_pass
         auth   [default=die success=done] pam_ccreds.so action=validate use_first_pass
         auth   sufficient pam_ccreds.so action=store use_first_pass
         auth   required        pam_deny.so
pam_account=account    sufficient   pam_krb5.so
            account    required     pam_unix.so
pam_password=password   sufficient   pam_krb5.so
             password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
            session    required     pam_mkhomedir.so skel=/etc/skel/
            session    optional     pam_krb5.so
            session    optional     pam_foreground.so
sudo nss_updatedb ldap
sudo auth-client-config -a -p krb5ldap.cached
sudo mkdir /usr/share/episync
sudo nano /usr/share/episync/epi-home-prep
#!/bin/bash

USER=$PAM_USER
USERHOME=/home/$USER

PROFILE=$USERHOME/.profile
CONFIGURED_STAMP=~/.episync-configured-do-not-delete
SETUP_SCRIPT=/usr/share/episync/episync-user-setup

COMMENT="# Added by episync"
if ! grep -q "$COMMENT" $PROFILE
then
    echo "\n$COMMENT" >> $PROFILE
    # Execute episync setup unless it's already configured
    # echo "[ -f $CONFIGURED_STAMP ] || $SETUP_SCRIPT" >> $PROFILE
    # Always execute the roaming profile sync tool
    echo "/usr/share/episync/episync-sync" >> $PROFILE
fi

# Set proper .profile ownership
chown $USER: $PROFILE
 sudo nano /usr/share/episync/episync-sync

#!/bin/bash

# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
    SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi

# Generate key pair if not already done
if ! [ -f ~/.ssh/id_rsa.pub ]
then
    . /usr/share/episync/episync-generate-key
fi

# FIXME: This doesn't work, investigate why
IGNORE_LIST="-ignore 'Path .gvfs' -ignore 'Path .local/share/Trash' -ignore 'Regex .*(cache|Cache|te?mp|history|thumbnails).*'"

# Sync files with pulsating progress bar
(echo ; unison $HOME ssh://$USER@$SERVER//$HOME -batch) | zenity --title='EpiSync' --progress --auto-close --pulsate --text='Synchronising your files.'
sudo nano /usr/share/episync/episync-generate-key
#!/bin/bash

# If server address is not in the environment, read it
if [ -z "$SERVER" ]
then
    SERVER=`grep ^host /etc/ldap.conf | cut -d' ' -f2 | cut -d: -f1`
fi

TEXT="Welcome to EpiSync first login configuration.

You are seeing this because you have not logged onto this laptop before. After you close this dialog, you will be asked for your password. It is needed to copy your public key to the server so that your files can be synchronised. You will not have to do this again, just this time."

ssh-keygen -f $HOME/.ssh/id_rsa -N ''

zenity --text "$TEXT" --info

SSH_ASKPASS=ssh-askpass setsid ssh-copy-id $SERVER

if [ $? -eq 0 ]
then
    zenity --text "Key copied successfully." --info
else
    zenity --text "Copy public key to $SERVER failed." --error
fi
sudo chmod +x /usr/share/episync/*

How To Generate An SSH Keypair To Allow Password-less Logins

It’s quite common to use SSH/SCP in scripts, particularly for backup purposes. Unfortunately, this would mean storing a password in the script, which would consequently appear in logs etc… A much better plan is to use SSH keypairs. Once you’ve created a passphrase-less keypair and copied it to both machines, you can login without a password.

Firstly we’ll create the key on the client machine. This is the machine that you want to be able to connect FROM without using a password. In this scenario, the machine “www” is going to run a backup script that needs to store data on “neo” without using a password. So we create the key on “www”.

ssh-keygen -t rsa -b 4096

The -b 4096 is optional, but will instruct the machine to generate a more secure 4096bit key rather than the default 2048 bit one.

When asked for a passphrase, simply hit enter for none.

Now we need to copy the key to the machine that we want to be able to access without a password:

ssh-copy-id -i ~/.ssh/id_rsa.pub dan@neo.danbishop.org

You will be prompted for your password for the user dan@neo.danbishop.org.

All done 🙂

You can now type “ssh neo” and it will log you straight in without asking for your password! 😀

ASUS Upside Down Webcam in Ubuntu?

If you notice your webcam is upside down on skype/flash but fine on everything else, there’s a good chance the following will solve your problem.

Simply run this command in a terminal, followed by the program you want to run. For example for skype:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1-compat.so
chromium-browser

Note that the path contains lib32 as both flash and skype are 32bit programs. If you’re actually using a 32bit version of Ubuntu you can modify the path to read: /usr/lib/libv4l/v4l1-compat.so

Update: Name change for 11.04+

If you’re using Ubuntu 11.04 (Natty) or above you need to use the following instead:

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
skype

Or

export LD_PRELOAD=/usr/lib32/libv4l/v4l1compat.so
chromium-browser