...
| Code Block |
|---|
rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/ |
6. Configure a LDAP Fat Server/Client
https://help.ubuntu.com/11.10/serverguide/C/openldap-server.html
http://ubuntuforums.org/showthread.php?t=1488232
https://help.ubuntu.com/community/NFSv4Howto
Install and configure LTSP
On the server:
if not done before configure the sources.list file to use the cache of the server:
| Code Block |
|---|
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list
apt-get update |
Install ltsp-server-standalone:
| Code Block |
|---|
sudo apt-get install ltsp-server-standalone |
Edit the installation option of ltsp-build-client:
| Code Block | ||
|---|---|---|
| ||
# The chroot architecture.
ARCH=i386
# ubuntu-desktop and edubuntu-desktop are tested.
# If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK.
# kubuntu lucid (10.10) working okay.
FAT_CLIENT_DESKTOPS="ubuntu-desktop"
# Space separated list of programs to install.
# The java plugin installation contained in ubuntu-restricted-extras
# needs some special care, so let's use it as an example.
LATE_PACKAGES="
ubuntu-restricted-extras
gimp
nfs-client
"
# This is needed to answer "yes" to the Java EULA.
# We'll create that file in the next step.
DEBCONF_SEEDS="/etc/ltsp/debconf.seeds"
# This uses the server apt cache to speed up downloading.
# This locks the servers dpkg, so you can't use apt on
# the server while building the chroot.
MOUNT_PACKAGE_DIR="/var/cache/apt/archives/" |
Create and edit the following file for the unattented Java and msttcorefonts installation:
| Code Block | ||
|---|---|---|
| ||
# Do you agree with the DLJ license terms?
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
# In order to install this package, you must accept the license terms, the
# "TrueType core fonts for the Web EULA ". Not accepting will cancel the
# installation. Do you accept the EULA license terms?
ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true |
If LTSP is install on an Oneiric system (otherwise go to the next step):
The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.
Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.
Open the following file and remove the word "apport" from line 43:
| Code Block |
|---|
/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/030-fat-client |
Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update 
)
| Code Block |
|---|
ltsp-build-client --mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu --security-mirror http://192.168.10.1:3142/security.ubuntu.com/ubuntu --updates-mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu |
if this doesn't work you can always modify the configuration files:
| Code Block |
|---|
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors |
You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it). The parameter that affects the RAM threshold is:
| Code Block |
|---|
FAT_RAM_THRESHOLD |
that defaults to 300 (MB). So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:
| Code Block |
|---|
FAT_RAM_THRESHOLD=800 |
Another interesting feature is have a server's directory available to all the fat clients. For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:
| Code Block |
|---|
LOCAL_APPS_EXTRAMOUNTS=/srv |
-------------------------
Install and configure DHCP
Configure /etc/network/interfaces
| Code Block |
|---|
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255 |
cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf
emacs /etc/ltsp/dhcpd.conf
| Code Block |
|---|
#
# Default LTSP dhcpd.conf config file.
#
#authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.250;
option domain-name "LSTPtest.av";
option domain-name-servers 192.168.2.1;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
# next-server 192.168.2.1;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
option root-path "/opt/ltsp/i386";
if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
filename "/ltsp/i386/pxelinux.0";
} else {
filename "/ltsp/i386/nbi.img";
}
}
|
sudo /etc/init.d/networking restart
sudo /etc/init.d/isc-dhcp-server restart
If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.
| Code Block |
|---|
killall NetworkManager |
-----------------
Install and configure LDAP
Preparation
emacs /etc/hosts
| Code Block |
|---|
127.0.0.1 localhost
127.0.1.1 server.bluelight.av server |
emacs /etc/hostname
| Code Block |
|---|
server |
hostname -f
(reboot if necessary)
Installation
apt-get install slapd ldap-utils
Post-installation
cd /etc/ldap/
emacs add_content.ldif
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f add_content.ldif
ldapsearch -x -LLL -b dc=bluelight,dc=av 'uid=john' cn gidNumber
Modifying the slapd Configuration Database
emacs uid_index.ldif
| Code Block |
|---|
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub |
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
emacs schema_convert.conf
| Code Block |
|---|
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema |
mkdir ldif_output
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema
(use the output for the next command)
slapcat -f schema_convert.conf -F ldif_output -n0 -H ldap:///cn={2}corba,cn=schema,cn=config -l cn=corba.ldif
emacs cn\=corba.ldif
#remove the {?} for the following lines
| Code Block |
|---|
dn: cn=corba,cn=schema,cn=config
...
cn: corba |
#also delete the following lines
| Code Block |
|---|
structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z
entryCSN: 20110829165435.935248Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110829165435Z |
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
Logging
emacs logging.ldif
| Code Block |
|---|
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats |
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif
emacs /etc/rsyslog.conf
#add the following lines at the end of the file
| Code Block |
|---|
# Disable rate limiting (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0 |
service rsyslog restart
...
emacs provider_sync.ldif
| Code Block |
|---|
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=bluelight,dc=av
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days |
emacs /etc/apparmor.d/local/usr.sbin.slapd
#add the following lines to the file
| Code Block |
|---|
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk, |
sudo -u openldap mkdir /var/lib/ldap/accesslog
sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
sudo service apparmor reload
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
service slapd restart
LDAP Authentication
apt-get install libnss-ldap
auth-client-config -t nss -p lac_ldap
pam-auth-update
User and Group Management
apt-get install ldapscripts
emacs /etc/ldapscripts/ldapscripts.conf
| Code Block |
|---|
SERVER=192.168.10.49
BINDDN='cn=admin,dc=bluelight,dc=av'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=bluelight,dc=av'
GSUFFIX='ou=Group'
USUFFIX='ou=People'
GIDSTART=2000
UIDSTART=2000
HOMESKEL="/etc/skel"
HOMEPERMS="700"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE="" |
sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
chmod 400 /etc/ldapscripts/ldapscripts.passwd
emacs /usr/share/ldapscripts/runtime.debian
| Code Block |
|---|
pamfile='/etc/ldap/ldap.conf' |
#if the next command doesn't work compare the runtime file with the one from: http://ubuntuforums.org/showthread.php?t=1488232
ldapadduser geo users
...
Apt-get install nfs-kernel-server
emacs /etc/exports
#add the following
| Code Block |
|---|
/home 192.168.10.0/24(rw,async,no_subtree_check) |
emacs /etc/security/group.conf
#add the following at the end of the file
| Code Block |
|---|
gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip |
emacs /etc/auth-client-config/profile.d/bl-ldap
| Code Block |
|---|
[bl-ldap]
nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
pam_password=password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so |
auth-client-config -S > /etc/auth-client-config/profile.d/original
auth-client-config -p bl-ldap -a
emacs /etc/pam.d/gdm
#add before "@include common-auth"
| Code Block |
|---|
auth optional pam_group.so |
On the client:
Chroot in the client's system
Install and configure LDAP
following is working for clients using 8.04 and 8.10
install some software
| Code Block |
|---|
aptitude install auth-client-config ldap-auth-client
|
provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av
safe following as a file in /etc/auth-client-config/profile.d/bl-ldap
| Code Block | ||
|---|---|---|
| ||
[bl-ldap]
nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
pam_password=password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so
|
safe the current settings and tell pam to use ldap
| Code Block |
|---|
auth-client-config -S > /etc/auth-client-config/profile.d/original
auth-client-config -p bl-ldap -a
|
add following to /etc/security/group.conf
| Code Block |
|---|
gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip
|
add following line to /etc/pam.d/gdm right before @include common-auth
| Code Block |
|---|
auth optional pam_group.so
|
make sure that the ldap settings are correct, as specified in /etc/ldap.conf
| Code Block |
|---|
base dc=bluelight,dc=av
uri ldap://192.168.10.1
ldap_version 3
rootbinddn cn=admin,dc=bluelight,dc=av
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data
|
little reminder, see following grep command to strip of the comments and newlines
| Code Block |
|---|
grep -v -e ^$ -e ^# /etc/ldap.conf
|
Make the client ready for nfs
install the needed packets
| Code Block |
|---|
aptitude install nfs-client
|
make the fstab ready for mounting the home directory
| Code Block | ||
|---|---|---|
| ||
192.168.10.49:/export /home nfs4 _netdev,auto 0 0 |
For Ubuntu 12.04 LTS
By default, Unity login window won't display LDAP users. In order to enable manual login, add this option in /etc/lightdm/lightdm.conf:
| Code Block | ||
|---|---|---|
| ||
greeter-show-manual-login=true |