1. Assignment: Install a debian ssh server on a VirtualBox and access to it
config apt-cacher 192.168.10.1 port 3128
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
install emacs
sudo aptitude install emacs
install config openssh server and make it work
eval `ssh-agent` exec ssh-agent bash (if ssh-add is not working)
add sam_sshkey.pub to .ssh/authorized_keys
add to /etc/ssh/sshd_config:
AllowUsers xxx
changed in the same file:
PasswordAuthentication no PermitRootLogin no
If ssh doesn't work check the grp and own of .ssh/authorized_keys
install bash completion
aptitude install bash-completion
add the following to ~/.bashrc or ~/.bash_profile
if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi
Document the work done
Well, that's kind of done but the editing interface of the wiki is not yet clear to me. Few shortcut:
- create a code box:
{code 'Enter'
- heading
'ctrl' AND '1' XOR '2' XOR '3'
- bullet list
'shift' AND 'ctrl' AND 'b'
- bold, underline, italic
'ctrl' AND 'b' 'ctrl' AND 'u' 'ctrl' AND 'i'
- save
'ctrl' AND 's'
Problems encountered after installation of debian
On start and halt
PROBLEM:
exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken
SOLUTION:
rm /var/log/exim4/paniclog
need to start the network manually dhclient eth0
PROBLEM: when auto eth0 added to interfaces. Nfs interfaces gets stuck on boot.
SOLUTION: there was no 'auto lo' in /etc/network/interfaces. That added plus 'auto eth0' makes it work.
2. Assignement: Install a graphic interface on Debian installation
Install Debian with nothing else than the minimum (except for laptop)
Install XOrg
apt-get install xorg
Install Gnome
apt-get install gnome-core
to test the installation:
starx
change the resolution
CTRL + ALT + '+' and CTRL + ALT + '-'
screen the available resolution and change it
xrandr -q wrands -s resolution
Install a display manager
apt-get install gdm
to start it
gdm
Install proprietary graphic card drivers:
If the kernel isn't compiled you need to install the kernel headers.
Check the kernel version
uname -r
Install the kernel header and link it to the linux file
apt-get install linux-header-... rm /usr/src/linux ln -s /usr/src/linux-header-... /usr/src/linux
Install the compilers
apt-get install gcc g++
For the nvidia cards
Download the latest drivers from the nvidia website.
Stop gdm (might need a kill)
/etc/init.d/gdm stop
Install the driver
sh NVIDIA...
Don't download the kernel interface. Ask for a compilation of a new interface. Start xconfig ans restart gdm
nvidia-xconfig /etc/init.d/gdm restart
To remove the logo in xorg.conf
Option "NoLogo" "1"
3. Assignment: Install Amanda & use it
Installation
create the directory structure for the folders to keep the backup
mkdir /mnt/backup #mount $DISK /mnt/backup/ mkdir /mnt/backup/vtapes /mnt/backup/holding /mnt/backup/holding/sam chown backup.disk -R /mnt/backup/*
create the config in /etc/amanda
mkdir /etc/amanda/sam-daily touch /etc/amanda/sam-daily/amanda.conf touch /etc/amanda/sam-daily/disklist chown -R backup.backup /etc/amanda/sam-daily
/etc/amanda/sam-daily/amanda.conf
org "sam" mailto "root" dumpcycle 7 runspercycle 5 tapecycle 30 dumpuser "backup" tpchanger "chg-disk:/mnt/backup/vtapes/sam" # a virtual tape changer #tapedev "/dev/nst0a" # the tapechanger #tapedev "file:/mnt/backup/vtapes/offering" changerfile "/var/lib/amanda/sam/changerfile" labelstr "SAM.*" label_new_tapes "SAM-%%" tapetype DVD_SIZED_DISK logdir "/var/lib/amanda/sam" infofile "/var/lib/amanda/sam/curinfo" indexdir "/var/lib/amanda/sam/index" tapelist "/var/lib/amanda/sam/tapelist" runtapes 5 #usetimestamps YES dtimeout 3600 #seconds per client per dump holdingdisk hd1 { directory "/mnt/backup/holding/sam" } define dumptype comp-tar { program "GNUTAR" index yes # record no # Important! avoid interfering with production runs auth "bsdtcp" } define dumptype user-tar-span { comp-tar tape_splitsize 445 MB auth "bsd" #holdingdisk no #split_diskbuffer "/mnt/holding/diskbuffer" #fallback_splitsize 100M comment "tape-spanning user partitions dumped with tar" #exclude list "/etc/amanda/sam-daily/exclude-list" } define dumptype user-tar-span-home { user-tar-span comment "exluding all the unwanted things from /home" # exclude list "/etc/amanda/sam-daily/exclude-list" } define tapetype DVD_SIZED_DISK { filemark 4 KB length 4482 MB }
echo debian-server-test-sam.bluelight.av backup amdump >> /var/backups/.amandahosts
/etc/amanda/sam-daily/disklist
debian-server-test-sam.bluelight.av /etc user-tar-span debian-server-test-sam.bluelight.av /var user-tar-span debian-server-test-sam.bluelight.av /root user-tar-span #debian-server-test-sam.bluelight.av /home/./all /home/ { #user-tar-span #exclude append "./media_no_backup" #}
as the backup user create all the virtual tapes and label them
su backup -c "mkdir /mnt/backup/vtapes/sam" for i in `seq 30`; do su backup -c "mkdir /mnt/backup/vtapes/sam/slot$i"; done cd /mnt/backup/vtapes/sam && ln -s slot1 data
create the tapelist
su backup -c "mkdir /var/lib/amanda/sam" su backup -c "touch /var/lib/amanda/sam/tapelist"
label the tapes
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel sam-daily SAM-$i slot $i"; done
/root/scripts/amanda-backup (after creating the folder)
#!/bin/bash #mount ${DISK} /mnt/backup su backup -c "/usr/sbin/amdump sam-daily" #sleep 5 #umount /mnt/backup exit 0
chmod +x /root/scripts/amanda-backup
Recover
Create the directory where the recovery should be dumped in: /mnt/recovery
In order to be able to run a recovery add the following line to /etc/amandahosts
localhost root amindexd amidxtaped
Go to the /mnt/recovery folder
amrecover sam-daily listhost sethost debian-server-test-sam.bluelight.av listdisk setdisk /etc cd (folder name - ls works too) add (name of the folder to recover or * for everything) extract exit
Problems encountered
...amanda.conf ...Line 54: end of line expected
SOLUTION: Press 'ENTER' at the end of the file and save.
4. Assignment: Weekly backup for server cupcake
First phase: Test on VirtualBox
Clone the amanda disk already created.
Do it by exporting Appliance and then import it preferably with new name.
PROBLEM: the virtual disks use the same lan card and the same MAC address.
SOLUTION: change the MAC address in VirtualBox and change it in the OS:
emacs /etc/udev/rules.d/70-persistent-net-rules
keep the interface with the new MAC address and make sure it is named eth0. Restart the OS.
Create to virtual drive and mount then on the server
Create 1 drive in virtual box and create 2 partitions:
fidsk -l cfdisk /dev/sdb
format the partitions and mount them:
mkfs.ext3 /dev/sdb1 mkfs.ext3 /dev/sdb2 mkdir /media/backup-data mkdir /media/backup-data2 mount -t ext3 /dev/sdb1 /media/backup-data mount -t ext3 /dev/sdb2 /media/backup-data2
Create a daily backup of the second virtual OS
Second phase: Configure CUPCAKE
Explanation of runscycle and other in amanda.conf
dumpcycle | runs per cycle | runtapes | tapecycle | tapetype | ||||
The amount of days you will have a full backup (ex: every 4 weeks = 28) | How many backup runs per dumpcycle (ex: every week = 4) | How many tapes to use per run (ex: Biggest disklist + a bit / tapetype size = 12) | How many tapes are available. The number decrease at every run. Runtapes * runs per cycle + a bit(ex: 50) | defines the size of a tape (ex: DVD size: 4,5G) | ||||
1 | ||||||||
2 | DLE_1 | 10G | ||||||
3 | DLE_2 | 45G | ||||||
4 | DLE_3 | 1G | ||||||
5 | ||||||||
6 | ||||||||
7 | run | 12 | ||||||
8 | ||||||||
9 | ||||||||
10 | ||||||||
11 | ||||||||
12 | ||||||||
13 | ||||||||
14 | run | 12 | ||||||
15 | ||||||||
16 | ||||||||
17 | ||||||||
18 | ||||||||
19 | ||||||||
20 | ||||||||
21 | run | 12 | ||||||
22 | ||||||||
23 | ||||||||
24 | ||||||||
25 | ||||||||
26 | ||||||||
27 | ||||||||
28 | dumpcycle | run | 12 |
Creating the script adapted to the present situation of the server (12/2011)
#!/bin/bash ## this is to automate the amanda setup ## variables used. SERVICE=bluelight FREQ=-weekly # frequence of the backup MOUNTPOINT1=/media/backup-data # mountpoint for holding MOUNTPOINT2=/media/backup-data2 # mountpoint for backup TAPE=`echo ${SERVICE}${FREQ} | tr [a-z] [A-Z]` ## create the directory structure for the folders to keep the backup mkdir ${MOUNTPOINT1}/amanda ${MOUNTPOINT1}/amanda/holding ${MOUNTPOINT1}/amanda/holding/${SERVICE}${FREQ} chown backup.disk -R ${MOUNTPOINT2}/amanda/* chown backup.disk -R ${MOUNTPOINT1}/amanda/* ## create the config in /etc/amanda mkdir /etc/amanda/${SERVICE}${FREQ} touch /etc/amanda/${SERVICE}${FREQ}/amanda.conf touch /etc/amanda/${SERVICE}${FREQ}/disklist chown -R backup.backup /etc/amanda/${SERVICE}${FREQ} ## The config files cat << EOF > /etc/amanda/${SERVICE}${FREQ}/amanda.conf org "Bluelight" mailto "bluelight@auroville.org.in" dumpcycle 28 runspercycle 4 runtapes 15 tapecycle 60 dumpuser "backup" tpchanger "chg-disk" # a virtual tape changer tapedev "file:/media/backup-data2/amanda/vtapes/bluelight-weekly" changerfile "/var/lib/amanda/bluelight-weekly/changerfile" labelstr "BLUELIGHT-WEEKLY-.*" #label_new_tapes "BLUELIGHT-WEEKLY-%%" tapetype DVD_SIZED_DISK logdir "/var/lib/amanda/bluelight-weekly" infofile "/var/lib/amanda/bluelight-weekly/curinfo" indexdir "/var/lib/amanda/bluelight-weekly/index" tapelist "/var/lib/amanda/bluelight-weekly/tapelist" holdingdisk hd1 { directory "/media/backup-data/amanda/holding/bluelight-weekly" } define dumptype comp-tar { program "GNUTAR" compress fast index yes # record no # Important! avoid interfering with production runs } define dumptype user-tar-span { comp-tar tape_splitsize 445 MB holdingdisk no split_diskbuffer "/media/backup-data/amanda/holding/diskbuffer" fallback_splitsize 100M comment "tape-spanning user partitions dumped with tar" compress none } define dumptype user-tar-span-home { user-tar-span comment "exluding all the unwanted things from /home" exclude list "/etc/exclude-list" compress none } define tapetype DVD_SIZED_DISK { filemark 4 KB length 4482 MB } EOF ## create the disklist cat <<EOF > /etc/amanda/${SERVICE}${FREQ}/disklist rose.bluelight.av /etc user-tar-span rose.bluelight.av /root user-tar-span rose.bluelight.av /var user-tar-span #192.168.10.12 /home/aufilduweb/data/Entreprises/Auroville/ user-tar-span # #192.168.10.12 /var/www/./programming /var/www { # user-tar-span ## auth "bsdtcp" # include "./meeting" # include "./act" # include "./mm_visitor_access" #} 2 #this section is for everything in /home ###### rose.bluelight.av /home/./bharathy /home/ { user-tar-span-home include "./bharathy" } 1 rose.bluelight.av /home/./juergen /home/ { user-tar-span-home include "./juergen" } 1 rose.bluelight.av /home/./resources /home/ { user-tar-span-home include "./resources" } 1 rose.bluelight.av /home/./rest /home/ { user-tar-span-home exclude append "./bharathy" exclude append "./juergen" exclude append "./resources" exclude append "./backup" exclude append "./backup_services" exclude append "./rdiff-backup" exclude append "./classes" exclude append "./joy" exclude append "./sincerity" exclude append "./surrender" exclude append "./music" } 1 ###### EOF ## as the backup user create all the virtual tapes and label them su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}" for i in `seq 30`; do su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}/slot$i"; done cd ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ} && ln -s slot1 data ## create the tapelist su backup -c "mkdir /var/lib/amanda/${SERVICE}${FREQ}" su backup -c "touch /var/lib/amanda/${SERVICE}${FREQ}/tapelist" ## label the tapes for i in `seq 30`; do su backup -c "/usr/sbin/amlabel ${SERVICE}${FREQ} ${TAPE}-$i slot $i"; done [ -d /root/scripts ] || mkdir /root/scripts ## create the starting script cat <<EOF > /root/scripts/amanda-${SERVICE}${FREQ}-backup #!/bin/bash su backup -c "/usr/sbin/amdump ${SERVICE}${FREQ}" sleep 20 # if the machine should stay on after the backup create a file in / called no # ie touch /no if [ -f /no ] then rm -f /no exit 0 else /sbin/halt fi exit 0 EOF chmod +x /root/scripts/amanda-${SERVICE}${FREQ}-backup exit 0
Create a crontab entry
# m h dom mon dow command 17 12 * * 1-4 /root/scripts/backup-bluelight 17 12 * * 5 /root/scripts/backup-bluelight-weekly
changed the runscycle of the daily backup to 4 in amanda.conf
PROBLEM:
amrecover bluelight-weekly
AMRECOVER Version 2.5.2p1. Contacting server on localhost ... [request failed: timeout waiting for ACK]
SOLUTION:
amrecover bluelight-weekly -s cupcake.bluelight.av -t cupcake.bluelight.av
5. Assignment: Make a weekly -Offsite backup of the TownHall
Rdiff-backup
Install rdiff on the server and the working station.
apt-get install rdiff-backup
and create a backup folder in the server (ex: /backup/servername/)
Login using ssh key
As root on the working station create the key, do not enter any paraphrase.
ssh-keygen -t rsa
Copy the public key to the server
scp /root/.ssh/id_rsa.pub root@192.168.10.91:/root/
Write the public into the .ssh/authorized_keys of the user (in his home folder) you want to login to
cat id_rsa.pub >> /root/.ssh/authorized_keys
change in /etc/ssh/sshd_config:
PasswordAuthentication no PermitRootLogin without-password
If ssh doesn't work check the grp and own of .ssh/authorized_keys or check the name of the file...
Create a backup list
/root/rdiff-backups/backup-list-server
/home/ - /
Create an ssh alias to access the server
/root/.ssh/config
Host backup-server Hostname 192.168.10.91 User root Identityfile /root/.ssh/id_rsa_backup_raspberry Protocol 2
test the backup with:
rdiff-backup --force --include-globbing-filelist /root/rdiff-backups/backup-list-server / backup-server::/backup/raspberry/
Secure the ssh authentication
In /root/.ssh/authorized_keys add the following before 'ssh-rsa....'
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
so the file's line looks like:
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA[......]3UV/ root@raspberry
Command line to remove old backup
rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/
6. Configure a LDAP Fat Server/Client
https://help.ubuntu.com/community/UbuntuLTSP/FatClients
http://wiki.bluelightav.org/display/BLUE/Open+LDAP
http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
http://ubuntuforums.org/showthread.php?t=1054966
http://ubuntuforums.org/showthread.php?t=1488232
https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html
http://ubuntuforums.org/archive/index.php/t-1156240.html
Install and configure LTSP
On the server:
if not done before configure the sources.list file to use the cache of the server:
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list apt-get update
Install ltsp-server-standalone:
sudo apt-get install ltsp-server-standalone
Edit the installation option of ltsp-build-client:
# The chroot architecture. ARCH=i386 # ubuntu-desktop and edubuntu-desktop are tested. # If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK. # kubuntu lucid (10.10) working okay. FAT_CLIENT_DESKTOPS="ubuntu-desktop" # Space separated list of programs to install. # The java plugin installation contained in ubuntu-restricted-extras # needs some special care, so let's use it as an example. LATE_PACKAGES=" ubuntu-restricted-extras gimp nfs-client " # This is needed to answer "yes" to the Java EULA. # We'll create that file in the next step. DEBCONF_SEEDS="/etc/ltsp/debconf.seeds" # This uses the server apt cache to speed up downloading. # This locks the servers dpkg, so you can't use apt on # the server while building the chroot. MOUNT_PACKAGE_DIR="/var/cache/apt/archives/"
Create and edit the following file for the unattented Java and msttcorefonts installation:
# Do you agree with the DLJ license terms? sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true # In order to install this package, you must accept the license terms, the # "TrueType core fonts for the Web EULA ". Not accepting will cancel the # installation. Do you accept the EULA license terms? ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true
If LTSP is install on an Oneiric system (otherwise go to the next step):
The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.
Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.
Open the following file and remove the word "apport" from line 43:
/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/030-fat-client
Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update )
ltsp-build-client --mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu --security-mirror http://192.168.10.1:3142/security.ubuntu.com/ubuntu --updates-mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu
if this doesn't work you can always modify the configuration files:
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors
You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it). The parameter that affects the RAM threshold is:
FAT_RAM_THRESHOLD
that defaults to 300 (MB). So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:
FAT_RAM_THRESHOLD=800
Another interesting feature is have a server's directory available to all the fat clients. For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:
LOCAL_APPS_EXTRAMOUNTS=/srv
-------------------------
Install and configure DHCP
apt-get install dhcp3-server (is supposed to be already installed)
cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf
emacs /etc/ltsp/dhcpd.conf
# # Default LTSP dhcpd.conf config file. # #authoritative; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.2 192.168.2.250; option domain-name "LSTPtest.av"; option domain-name-servers 192.168.2.1; option broadcast-address 192.168.2.255; option routers 192.168.2.1; # next-server 192.168.2.1; # get-lease-hostnames true; option subnet-mask 255.255.255.0; option root-path "/opt/ltsp/i386"; if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" { filename "/ltsp/i386/pxelinux.0"; } else { filename "/ltsp/i386/nbi.img"; } }
sudo service networking start
If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.
killall NetworkManager
Install and configure LDAP
Install the server dependencies
apt-get install slapd ldap-utils ldapscripts
Create /etc/ldap/frontend.bluelight.av.ldif
dn: ou=Users,dc=bluelight,dc=av objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=bluelight,dc=av objectClass: organizationalUnit ou: Groups
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f frontend.bluelight.av.ldif
If you get the error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Try to start slapd:
/etc/init.d/slapd start
If you get the credential error try to reconfigure/reinstall slapd:
rm -R slapd.d/ dpkg-reconfigure slapd
If it still doesn't work check the following file:
- slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
you can also change the olcRootPW to secret
File Edit Options Buffers Tools Help dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=bluelight,dc=av olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=bluelight,dc=av" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=bluelight,dc=av" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=bluelight,dc=av olcRootPW:: e1NTSEF9ZHVjOVVVLytLcnpqMEtaRDhtWHkwMWxMcmFrUVkrN2I= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 8cf0846c-d6d0-1030-8040-b16ccc9dfedc creatorsName: cn=config createTimestamp: 20120119100316Z entryCSN: 20120119100316.322583Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120119100316Z
Install the authentication for the server
apt-get install ldap-auth-client auth-client-config
This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d
We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want
auth-client-config -S > /etc/auth-client-config/profile.d/original-config auth-client-config -l auth-client-config -p lac_ldap -a
This will update the files in /etc/pam.d/ and the nsswitch.conf
Change in /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost" BINDDN="cn=admin,dc=bluelight,dc=av" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX="dc=bluelight,dc=av" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) GIDSTART="2000" # Group ID UIDSTART="2000" # User ID HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. HOMEPERMS="700" # Default permissions for home directories GETENTPWCMD="" GETENTGRCMD="" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
The original:
# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Note for Debian users: # On Debian system ldapscripts will try to parse and use some system config. # Look on commented variables and description lines started with DEBIAN. # But you could override it's values here. # LDAP Configuration # DEBIAN: values from /etc/pam_ldap.conf are used. SERVER="ldap://localhost" BINDDN="cn=admin,dc=bluelight,dc=av" # The following file contains the raw password of the binddn # Create it with something like : echo -n 'secret' > $BINDPWDFILE # WARNING !!!! Be careful not to make this file world-readable # DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used. BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" # For older versions of OpenLDAP, it is still possible to use # unsecure command-line passwords by defining the following option # AND commenting the previous one (BINDPWDFILE takes precedence) #BINDPWD="secret" # DEBIAN: values from /etc/pam_ldap.conf are used. SUFFIX="dc=bluelight,dc=av" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX) # Start with these IDs *if no entry found in LDAP* GIDSTART="10000" # Group ID UIDSTART="10000" # User ID #MIDSTART="20000" # Machine ID # User properties # DEBIAN: values from /etc/adduser.conf are used. #USHELL="/bin/sh" #UHOMES="/home/%u" # You may use %u for username here #CREATEHOMES="no" # Create home directories and set rights ? HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. HOMEPERMS="700" # Default permissions for home directories # User passwords generation # Command-line used to generate a password for added users (you may use %u for username here) # WARNING !!!! This is evaluated, everything specified here will be run ! # Special value "<ask>" will ask for a password interactively #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" #PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'" #PASSWORDGEN="pwgen" #PASSWORDGEN="echo changeme" #PASSWORDGEN="echo %u" #PASSWORDGEN="<ask>" #PASSWORDGEN="pwgen" # User passwords recording # you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS # (useful when performing a massive creation / net rpc vampire) # WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! # WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! #RECORDPASSWORDS="no" #PASSWORDFILE="/var/log/ldapscripts_passwd.log" # Where to log #LOGFILE="/var/log/ldapscripts.log" # Temporary folder #TMPDIR="/tmp" # Various binaries used within the scripts # Warning : they also use uuencode, date, grep, sed, cut, expr, which... # Please check they are installed before using these scripts # Note that many of them should come with your OS # OpenLDAP client commands #LDAPSEARCHBIN="/usr/bin/ldapsearch" #LDAPADDBIN="/usr/bin/ldapadd" #LDAPDELETEBIN="/usr/bin/ldapdelete" #LDAPMODIFYBIN="/usr/bin/ldapmodify" #LDAPMODRDNBIN="/usr/bin/ldapmodrdn" #LDAPPASSWDBIN="/usr/bin/ldappasswd" # Character set conversion : $ICONVCHAR <-> UTF-8 # Comment ICONVBIN to disable UTF-8 conversion #ICONVBIN="/usr/bin/iconv" #ICONVCHAR="ISO-8859-15" # Base64 decoding # Comment UUDECODEBIN to disable Base64 decoding #UUDECODEBIN="/usr/bin/uudecode" # Getent command to use - choose the ones used # on your system. Leave blank or comment for auto-guess. # GNU/Linux #GETENTPWCMD="getent passwd" #GETENTGRCMD="getent group" # FreeBSD #GETENTPWCMD="pw usershow" #GETENTGRCMD="pw groupshow" # Auto GETENTPWCMD="" GETENTGRCMD="" # You can specify custom LDIF templates here # Leave empty to use default templates # See *.template.sample for default templates #GTEMPLATE="/path/to/ldapaddgroup.template" #UTEMPLATE="/path/to/ldapadduser.template" #MTEMPLATE="/path/to/ldapaddmachine.template" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
Add a user
ldapadduser testuser users
On the client:
Chroot in the client's system
Install and configure LDAP
following is working for clients using 8.04 and 8.10
install some software
aptitude install auth-client-config ldap-auth-client
provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av
safe following as a file in /etc/auth-client-config/profile.d/bl-ldap
[bl-ldap] nss_group=group: files ldap nss_passwd=passwd: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis pam_account=account sufficient pam_ldap.so account required pam_unix.so pam_auth=auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass pam_password=password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 pam_session=session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
safe the current settings and tell pam to use ldap
auth-client-config -S > /etc/auth-client-config/profile.d/original auth-client-config -p bl-ldap -a
add following to /etc/security/group.conf
gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip
add following line to /etc/pam.d/gdm right before @include common-auth
auth optional pam_group.so
make sure that the ldap settings are correct, as specified in /etc/ldap.conf
base dc=bluelight,dc=av uri ldap://192.168.10.1 ldap_version 3 rootbinddn cn=admin,dc=bluelight,dc=av pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data
little reminder, see following grep command to strip of the comments and newlines
grep -v -e ^$ -e ^# /etc/ldap.conf
Make the client ready for nfs
install the needed packets
aptitude install nfs-client
make the fstab ready for mounting the home directory
nfsserver.bluelight.av:/home /home nfs defaults 0 0