1. Assignment: Install a debian ssh server on a VirtualBox and access to it
config apt-cacher 192.168.10.1 port 3128
| Code Block | ||
|---|---|---|
| ||
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list |
install emacs
| Code Block | ||
|---|---|---|
| ||
sudo aptitude install emacs |
install config openssh server and make it work
| Code Block | ||
|---|---|---|
| ||
eval `ssh-agent`
exec ssh-agent bash (if ssh-add is not working) |
add sam_sshkey.pub to .ssh/authorized_keys
add to /etc/ssh/sshd_config:
| Code Block |
|---|
AllowUsers xxx |
changed in the same file:
| Code Block |
|---|
PasswordAuthentication no
PermitRootLogin no |
If ssh doesn't work check the grp and own of .ssh/authorized_keys
install bash completion
| Code Block |
|---|
aptitude install bash-completion |
add the following to ~/.bashrc or ~/.bash_profile
| Code Block |
|---|
if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi |
Document the work done
Well, that's kind of done but the editing interface of the wiki is not yet clear to me. Few shortcut:
- create a code box:
| Code Block |
|---|
{code 'Enter' |
- heading
| Code Block |
|---|
'ctrl' AND '1' XOR '2' XOR '3' |
- bullet list
| Code Block |
|---|
'shift' AND 'ctrl' AND 'b' |
- bold, underline, italic
| Code Block |
|---|
'ctrl' AND 'b'
'ctrl' AND 'u'
'ctrl' AND 'i' |
- save
| Code Block |
|---|
'ctrl' AND 's' |
Problems encountered after installation of debian
On start and halt
PROBLEM:
| Code Block |
|---|
exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken |
SOLUTION:
| Code Block |
|---|
rm /var/log/exim4/paniclog |
need to start the network manually dhclient eth0
PROBLEM: when auto eth0 added to interfaces. Nfs interfaces gets stuck on boot.
SOLUTION: there was no 'auto lo' in /etc/network/interfaces. That added plus 'auto eth0' makes it work.
2. Assignement: Install a graphic interface on Debian installation
Install Debian with nothing else than the minimum (except for laptop)
Install XOrg
| Code Block |
|---|
apt-get install xorg |
Install Gnome
| Code Block |
|---|
apt-get install gnome-core |
to test the installation:
| Code Block |
|---|
starx |
change the resolution
| Code Block |
|---|
CTRL + ALT + '+' and CTRL + ALT + '-' |
screen the available resolution and change it
| Code Block |
|---|
xrandr -q
wrands -s resolution |
Install a display manager
| Code Block |
|---|
apt-get install gdm |
to start it
| Code Block |
|---|
gdm |
Install proprietary graphic card drivers:
If the kernel isn't compiled you need to install the kernel headers.
Check the kernel version
| Code Block |
|---|
uname -r |
Install the kernel header and link it to the linux file
| Code Block |
|---|
apt-get install linux-header-...
rm /usr/src/linux
ln -s /usr/src/linux-header-... /usr/src/linux |
Install the compilers
| Code Block |
|---|
apt-get install gcc g++ |
For the nvidia cards
Download the latest drivers from the nvidia website.
Stop gdm (might need a kill)
| Code Block |
|---|
/etc/init.d/gdm stop |
Install the driver
| Code Block |
|---|
sh NVIDIA... |
Don't download the kernel interface. Ask for a compilation of a new interface. Start xconfig ans restart gdm
| Code Block |
|---|
nvidia-xconfig
/etc/init.d/gdm restart |
To remove the logo in xorg.conf
| Code Block |
|---|
Option "NoLogo" "1" |
3. Assignment: Install Amanda & use it
Installation
create the directory structure for the folders to keep the backup
| Code Block |
|---|
mkdir /mnt/backup
#mount $DISK /mnt/backup/
mkdir /mnt/backup/vtapes /mnt/backup/holding /mnt/backup/holding/sam
chown backup.disk -R /mnt/backup/* |
create the config in /etc/amanda
| Code Block |
|---|
mkdir /etc/amanda/sam-daily
touch /etc/amanda/sam-daily/amanda.conf
touch /etc/amanda/sam-daily/disklist
chown -R backup.backup /etc/amanda/sam-daily |
/etc/amanda/sam-daily/amanda.conf
| Code Block |
|---|
org "sam"
mailto "root"
dumpcycle 7
runspercycle 5
tapecycle 30
dumpuser "backup"
tpchanger "chg-disk:/mnt/backup/vtapes/sam" # a virtual tape changer
#tapedev "/dev/nst0a" # the tapechanger
#tapedev "file:/mnt/backup/vtapes/offering"
changerfile "/var/lib/amanda/sam/changerfile"
labelstr "SAM.*"
label_new_tapes "SAM-%%"
tapetype DVD_SIZED_DISK
logdir "/var/lib/amanda/sam"
infofile "/var/lib/amanda/sam/curinfo"
indexdir "/var/lib/amanda/sam/index"
tapelist "/var/lib/amanda/sam/tapelist"
runtapes 5
#usetimestamps YES
dtimeout 3600 #seconds per client per dump
holdingdisk hd1 {
directory "/mnt/backup/holding/sam"
}
define dumptype comp-tar {
program "GNUTAR"
index yes
# record no # Important! avoid interfering with production runs
auth "bsdtcp"
}
define dumptype user-tar-span {
comp-tar
tape_splitsize 445 MB
auth "bsd"
#holdingdisk no
#split_diskbuffer "/mnt/holding/diskbuffer"
#fallback_splitsize 100M
comment "tape-spanning user partitions dumped with tar"
#exclude list "/etc/amanda/sam-daily/exclude-list"
}
define dumptype user-tar-span-home {
user-tar-span
comment "exluding all the unwanted things from /home"
# exclude list "/etc/amanda/sam-daily/exclude-list"
}
define tapetype DVD_SIZED_DISK {
filemark 4 KB
length 4482 MB
}
|
| Code Block |
|---|
echo debian-server-test-sam.bluelight.av backup amdump >> /var/backups/.amandahosts |
/etc/amanda/sam-daily/disklist
| Code Block |
|---|
debian-server-test-sam.bluelight.av /etc user-tar-span
debian-server-test-sam.bluelight.av /var user-tar-span
debian-server-test-sam.bluelight.av /root user-tar-span
#debian-server-test-sam.bluelight.av /home/./all /home/ {
#user-tar-span
#exclude append "./media_no_backup"
#} |
as the backup user create all the virtual tapes and label them
| Code Block |
|---|
su backup -c "mkdir /mnt/backup/vtapes/sam"
for i in `seq 30`; do su backup -c "mkdir /mnt/backup/vtapes/sam/slot$i"; done
cd /mnt/backup/vtapes/sam && ln -s slot1 data |
create the tapelist
| Code Block |
|---|
su backup -c "mkdir /var/lib/amanda/sam"
su backup -c "touch /var/lib/amanda/sam/tapelist" |
label the tapes
| Code Block |
|---|
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel sam-daily SAM-$i slot $i"; done |
/root/scripts/amanda-backup (after creating the folder)
| Code Block |
|---|
#!/bin/bash
#mount ${DISK} /mnt/backup
su backup -c "/usr/sbin/amdump sam-daily"
#sleep 5
#umount /mnt/backup
exit 0 |
| Code Block |
|---|
chmod +x /root/scripts/amanda-backup |
Recover (example for /etc)
In order to be able to run a recovery add the following line to /etc/amandahosts
| Code Block |
|---|
localhost root amindexd amidxtaped |
Go to the /etc folder
| Code Block |
|---|
amrecover sam-daily
listhost
sethost debian-server-test-sam.bluelight.av
listdisk
setdisk /etc
cd (folder name - ls works too)
add (name of the folder to recover or * for everything)
extract
exit |
If the backuo is restored from an external drive:
- make sure you have /etc/amanda and /var/lib/amanda on the external drive
- copy these 2 folders to the system to restore
- mount --bind the folder containing the vtapes to the folder on the system which supposed to have the vtapes (cf /etc/amanda/sam-daily/amanda.conf)
- follow the steps above
Problems encountered
...amanda.conf ...Line 54: end of line expected
SOLUTION: Press 'ENTER' at the end of the file and save.
4. Assignment: Weekly backup for server cupcake
First phase: Test on VirtualBox
Clone the amanda disk already created.
Do it by exporting Appliance and then import it preferably with new name.
PROBLEM: the virtual disks use the same lan card and the same MAC address.
SOLUTION: change the MAC address in VirtualBox and change it in the OS:
| Code Block |
|---|
emacs /etc/udev/rules.d/70-persistent-net-rules |
keep the interface with the new MAC address and make sure it is named eth0. Restart the OS.
Create to virtual drive and mount then on the server
Create 1 drive in virtual box and create 2 partitions:
| Code Block |
|---|
fidsk -l
cfdisk /dev/sdb |
format the partitions and mount them:
| Code Block |
|---|
mkfs.ext3 /dev/sdb1
mkfs.ext3 /dev/sdb2
mkdir /media/backup-data
mkdir /media/backup-data2
mount -t ext3 /dev/sdb1 /media/backup-data
mount -t ext3 /dev/sdb2 /media/backup-data2 |
Create a daily backup of the second virtual OS
Second phase: Configure CUPCAKE
Explanation of runscycle and other in amanda.conf
...
Creating the script adapted to the present situation of the server (12/2011)
| Code Block |
|---|
#!/bin/bash
## this is to automate the amanda setup
## variables used.
SERVICE=bluelight
FREQ=-weekly # frequence of the backup
MOUNTPOINT1=/media/backup-data # mountpoint for holding
MOUNTPOINT2=/media/backup-data2 # mountpoint for backup
TAPE=`echo ${SERVICE}${FREQ} | tr [a-z] [A-Z]`
## create the directory structure for the folders to keep the backup
mkdir ${MOUNTPOINT1}/amanda ${MOUNTPOINT1}/amanda/holding ${MOUNTPOINT1}/amanda/holding/${SERVICE}${FREQ}
chown backup.disk -R ${MOUNTPOINT2}/amanda/*
chown backup.disk -R ${MOUNTPOINT1}/amanda/*
## create the config in /etc/amanda
mkdir /etc/amanda/${SERVICE}${FREQ}
touch /etc/amanda/${SERVICE}${FREQ}/amanda.conf
touch /etc/amanda/${SERVICE}${FREQ}/disklist
chown -R backup.backup /etc/amanda/${SERVICE}${FREQ}
## The config files
cat << EOF > /etc/amanda/${SERVICE}${FREQ}/amanda.conf
org "Bluelight"
mailto "bluelight@auroville.org.in"
dumpcycle 28
runspercycle 4
runtapes 15
tapecycle 60
dumpuser "backup"
tpchanger "chg-disk" # a virtual tape changer
tapedev "file:/media/backup-data2/amanda/vtapes/bluelight-weekly"
changerfile "/var/lib/amanda/bluelight-weekly/changerfile"
labelstr "BLUELIGHT-WEEKLY-.*"
#label_new_tapes "BLUELIGHT-WEEKLY-%%"
tapetype DVD_SIZED_DISK
logdir "/var/lib/amanda/bluelight-weekly"
infofile "/var/lib/amanda/bluelight-weekly/curinfo"
indexdir "/var/lib/amanda/bluelight-weekly/index"
tapelist "/var/lib/amanda/bluelight-weekly/tapelist"
holdingdisk hd1 {
directory "/media/backup-data/amanda/holding/bluelight-weekly"
}
define dumptype comp-tar {
program "GNUTAR"
compress fast
index yes
# record no # Important! avoid interfering with production runs
}
define dumptype user-tar-span {
comp-tar
tape_splitsize 445 MB
holdingdisk no
split_diskbuffer "/media/backup-data/amanda/holding/diskbuffer"
fallback_splitsize 100M
comment "tape-spanning user partitions dumped with tar"
compress none
}
define dumptype user-tar-span-home {
user-tar-span
comment "exluding all the unwanted things from /home"
exclude list "/etc/exclude-list"
compress none
}
define tapetype DVD_SIZED_DISK {
filemark 4 KB
length 4482 MB
}
EOF
## create the disklist
cat <<EOF > /etc/amanda/${SERVICE}${FREQ}/disklist
rose.bluelight.av /etc user-tar-span
rose.bluelight.av /root user-tar-span
rose.bluelight.av /var user-tar-span
#192.168.10.12 /home/aufilduweb/data/Entreprises/Auroville/ user-tar-span
#
#192.168.10.12 /var/www/./programming /var/www {
# user-tar-span
## auth "bsdtcp"
# include "./meeting"
# include "./act"
# include "./mm_visitor_access"
#} 2
#this section is for everything in /home
######
rose.bluelight.av /home/./bharathy /home/ {
user-tar-span-home
include "./bharathy"
} 1
rose.bluelight.av /home/./juergen /home/ {
user-tar-span-home
include "./juergen"
} 1
rose.bluelight.av /home/./resources /home/ {
user-tar-span-home
include "./resources"
} 1
rose.bluelight.av /home/./rest /home/ {
user-tar-span-home
exclude append "./bharathy"
exclude append "./juergen"
exclude append "./resources"
exclude append "./backup"
exclude append "./backup_services"
exclude append "./rdiff-backup"
exclude append "./classes"
exclude append "./joy"
exclude append "./sincerity"
exclude append "./surrender"
exclude append "./music"
} 1
######
EOF
## as the backup user create all the virtual tapes and label them
su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}"
for i in `seq 30`; do su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}/slot$i"; done
cd ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ} && ln -s slot1 data
## create the tapelist
su backup -c "mkdir /var/lib/amanda/${SERVICE}${FREQ}"
su backup -c "touch /var/lib/amanda/${SERVICE}${FREQ}/tapelist"
## label the tapes
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel ${SERVICE}${FREQ} ${TAPE}-$i slot $i"; done
[ -d /root/scripts ] || mkdir /root/scripts
## create the starting script
cat <<EOF > /root/scripts/amanda-${SERVICE}${FREQ}-backup
#!/bin/bash
su backup -c "/usr/sbin/amdump ${SERVICE}${FREQ}"
sleep 20
# if the machine should stay on after the backup create a file in / called no
# ie touch /no
if [ -f /no ]
then
rm -f /no
exit 0
else
/sbin/halt
fi
exit 0
EOF
chmod +x /root/scripts/amanda-${SERVICE}${FREQ}-backup
exit 0 |
Create a crontab entry
| Code Block |
|---|
# m h dom mon dow command
17 12 * * 1-4 /root/scripts/backup-bluelight
17 12 * * 5 /root/scripts/backup-bluelight-weekly |
changed the runscycle of the daily backup to 4 in amanda.conf
PROBLEM:
| Code Block |
|---|
amrecover bluelight-weekly |
| Code Block |
|---|
AMRECOVER Version 2.5.2p1. Contacting server on localhost ...
[request failed: timeout waiting for ACK] |
SOLUTION:
amrecover bluelight-weekly -s cupcake.bluelight.av -t cupcake.bluelight.av
5. Assignment: Make a weekly -Offsite backup of the TownHall
Rdiff-backup
Install rdiff on the server and the working station.
| Code Block |
|---|
apt-get install rdiff-backup |
and create a backup folder in the server (ex: /backup/servername/)
Login using ssh key
As root on the working station create the key, do not enter any paraphrase.
| Code Block |
|---|
ssh-keygen -t rsa |
Copy the public key to the server
| Code Block |
|---|
scp /root/.ssh/id_rsa.pub root@192.168.10.91:/root/ |
Write the public into the .ssh/authorized_keys of the user (in his home folder) you want to login to
| Code Block |
|---|
cat id_rsa.pub >> /root/.ssh/authorized_keys |
change in /etc/ssh/sshd_config:
| Code Block |
|---|
PasswordAuthentication no
PermitRootLogin without-password |
If ssh doesn't work check the grp and own of .ssh/authorized_keys or check the name of the file...
Create a backup list
/root/rdiff-backups/backup-list-server
| Code Block |
|---|
/home/
- /
|
Create an ssh alias to access the server
/root/.ssh/config
| Code Block |
|---|
Host backup-server
Hostname 192.168.10.91
User root
Identityfile /root/.ssh/id_rsa_backup_raspberry
Protocol 2
|
test the backup with:
| Code Block |
|---|
rdiff-backup --force --include-globbing-filelist /root/rdiff-backups/backup-list-server / backup-server::/backup/raspberry/ |
Secure the ssh authentication
In /root/.ssh/authorized_keys add the following before 'ssh-rsa....'
| Code Block |
|---|
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty |
so the file's line looks like:
| Code Block |
|---|
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA[......]3UV/ root@raspberry |
Command line to remove old backup
| Code Block |
|---|
rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/ |
6. Configure a LDAP Fat Server/Client
https://help.ubuntu.com/community/UbuntuLTSP/FatClients
http://wiki.bluelightav.org/display/BLUE/Open+LDAP
http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
http://ubuntuforums.org/showthread.php?t=1054966
http://ubuntuforums.org/showthread.php?t=1488232
https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html
http://ubuntuforums.org/archive/index.php/t-1156240.html
Install and configure LTSP
On the server:
if not done before configure the sources.list file to use the cache of the server:
| Code Block |
|---|
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list
apt-get update |
Install ltsp-server-standalone:
| Code Block |
|---|
sudo apt-get install ltsp-server-standalone |
Edit the installation option of ltsp-build-client:
| Code Block | ||
|---|---|---|
| ||
# The chroot architecture.
ARCH=i386
# ubuntu-desktop and edubuntu-desktop are tested.
# If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK.
# kubuntu lucid (10.10) working okay.
FAT_CLIENT_DESKTOPS="ubuntu-desktop"
# Space separated list of programs to install.
# The java plugin installation contained in ubuntu-restricted-extras
# needs some special care, so let's use it as an example.
LATE_PACKAGES="
ubuntu-restricted-extras
gimp
nfs-client
"
# This is needed to answer "yes" to the Java EULA.
# We'll create that file in the next step.
DEBCONF_SEEDS="/etc/ltsp/debconf.seeds"
# This uses the server apt cache to speed up downloading.
# This locks the servers dpkg, so you can't use apt on
# the server while building the chroot.
MOUNT_PACKAGE_DIR="/var/cache/apt/archives/" |
Create and edit the following file for the unattented Java and msttcorefonts installation:
| Code Block | ||
|---|---|---|
| ||
# Do you agree with the DLJ license terms?
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
# In order to install this package, you must accept the license terms, the
# "TrueType core fonts for the Web EULA ". Not accepting will cancel the
# installation. Do you accept the EULA license terms?
ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true |
If LTSP is install on an Oneiric system (otherwise go to the next step):
The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.
Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.
Open the following file and remove the word "apport" from line 43:
| Code Block |
|---|
/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/030-fat-client |
Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update 
)
| Code Block |
|---|
ltsp-build-client --mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu --security-mirror http://192.168.10.1:3142/security.ubuntu.com/ubuntu --updates-mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu |
if this doesn't work you can always modify the configuration files:
| Code Block |
|---|
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors |
You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it). The parameter that affects the RAM threshold is:
| Code Block |
|---|
FAT_RAM_THRESHOLD |
that defaults to 300 (MB). So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:
| Code Block |
|---|
FAT_RAM_THRESHOLD=800 |
Another interesting feature is have a server's directory available to all the fat clients. For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:
| Code Block |
|---|
LOCAL_APPS_EXTRAMOUNTS=/srv |
-------------------------
Install and configure DHCP
Configure /etc/network/interfaces
| Code Block |
|---|
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255 |
cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf
emacs /etc/ltsp/dhcpd.conf
| Code Block |
|---|
#
# Default LTSP dhcpd.conf config file.
#
#authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.2 192.168.2.250;
option domain-name "LSTPtest.av";
option domain-name-servers 192.168.2.1;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
# next-server 192.168.2.1;
# get-lease-hostnames true;
option subnet-mask 255.255.255.0;
option root-path "/opt/ltsp/i386";
if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
filename "/ltsp/i386/pxelinux.0";
} else {
filename "/ltsp/i386/nbi.img";
}
}
|
sudo /etc/init.d/networking restart
sudo /etc/init.d/isc-dhcp-server restart
If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.
| Code Block |
|---|
killall NetworkManager |
WORKS UNTIL HERE, CLIENTS BOOT
Install and configure LDAP
Install the server dependencies
| Code Block |
|---|
apt-get install slapd ldap-utils ldapscripts |
Create /etc/ldap/frontend.bluelight.av.ldif
| Code Block |
|---|
dn: ou=Users,dc=bluelight,dc=av
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=bluelight,dc=av
objectClass: organizationalUnit
ou: Groups
|
| Code Block |
|---|
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f frontend.bluelight.av.ldif |
If you get the error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Try to start slapd:
| Code Block |
|---|
/etc/init.d/slapd start |
If you get the credential error try to reconfigure/reinstall slapd:
| Code Block |
|---|
rm -R slapd.d/
dpkg-reconfigure slapd
|
If it still doesn't work check the following file:
- slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
you can also change the olcRootPW to secret
| Code Block |
|---|
File Edit Options Buffers Tools Help
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=bluelight,dc=av
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=bluelight,dc=av" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=bluelight,dc=av" write by
* read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=bluelight,dc=av
olcRootPW:: e1NTSEF9ZHVjOVVVLytLcnpqMEtaRDhtWHkwMWxMcmFrUVkrN2I=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 8cf0846c-d6d0-1030-8040-b16ccc9dfedc
creatorsName: cn=config
createTimestamp: 20120119100316Z
entryCSN: 20120119100316.322583Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120119100316Z
|
Install the authentication for the server
| Code Block |
|---|
apt-get install ldap-auth-client auth-client-config |
This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d
We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want
| Code Block |
|---|
auth-client-config -S > /etc/auth-client-config/profile.d/original-config
auth-client-config -l
auth-client-config -p lac_ldap -a |
This will update the files in /etc/pam.d/ and the nsswitch.conf
Change in /etc/ldapscripts/ldapscripts.conf
| Code Block | ||
|---|---|---|
| ||
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
GIDSTART="2000" # Group ID
UIDSTART="2000" # User ID
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
|
The original:
| Code Block |
|---|
# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.
# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
#MIDSTART="20000" # Machine ID
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u" # You may use %u for username here
#CREATEHOMES="no" # Create home directories and set rights ?
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN="<ask>"
#PASSWORDGEN="pwgen"
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
#RECORDPASSWORDS="no"
#PASSWORDFILE="/var/log/ldapscripts_passwd.log"
# Where to log
#LOGFILE="/var/log/ldapscripts.log"
# Temporary folder
#TMPDIR="/tmp"
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which...
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
# OpenLDAP client commands
#LDAPSEARCHBIN="/usr/bin/ldapsearch"
#LDAPADDBIN="/usr/bin/ldapadd"
#LDAPDELETEBIN="/usr/bin/ldapdelete"
#LDAPMODIFYBIN="/usr/bin/ldapmodify"
#LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
#LDAPPASSWDBIN="/usr/bin/ldappasswd"
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""
|
Add a user
| Code Block |
|---|
ldapadduser testuser users |
Install and configure NFS
install the main packet
| Code Block |
|---|
aptitude install nfs-kernel-server |
and configure the shares by adding following to /etc/exports
| Code Block |
|---|
/home 192.168.10.0/24(rw,async,no_subtree_check) |
On the client:
Chroot in the client's system
Install and configure LDAP
following is working for clients using 8.04 and 8.10
install some software
| Code Block |
|---|
aptitude install auth-client-config ldap-auth-client
|
provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av
safe following as a file in /etc/auth-client-config/profile.d/bl-ldap
| Code Block | ||
|---|---|---|
| ||
[bl-ldap]
nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
pam_password=password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/
session optional pam_ldap.so
session optional pam_foreground.so
|
safe the current settings and tell pam to use ldap
| Code Block |
|---|
auth-client-config -S > /etc/auth-client-config/profile.d/original
auth-client-config -p bl-ldap -a
|
add following to /etc/security/group.conf
| Code Block |
|---|
gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip
|
add following line to /etc/pam.d/gdm right before @include common-auth
| Code Block |
|---|
auth optional pam_group.so
|
make sure that the ldap settings are correct, as specified in /etc/ldap.conf
| Code Block |
|---|
base dc=bluelight,dc=av
uri ldap://192.168.10.1
ldap_version 3
rootbinddn cn=admin,dc=bluelight,dc=av
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data
|
little reminder, see following grep command to strip of the comments and newlines
| Code Block |
|---|
grep -v -e ^$ -e ^# /etc/ldap.conf
|
Make the client ready for nfs
install the needed packets
| Code Block |
|---|
aptitude install nfs-client
|
make the fstab ready for mounting the home directory
| Code Block | ||
|---|---|---|
| ||
nfsserver.bluelight.av:/home /home nfs defaults 0 0
|