Blue Light
Space shortcuts
Child pages
  • Sandbox
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 46 Next »

1. Assignment: Install a debian ssh server on a VirtualBox and access to it

config apt-cacher 192.168.10.1 port 3128

sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list

install emacs

sudo aptitude install emacs

install config openssh server and make it work

Start ssh-agent
eval `ssh-agent`
exec ssh-agent bash (if ssh-add is not working)

add sam_sshkey.pub to .ssh/authorized_keys

add to /etc/ssh/sshd_config:

AllowUsers xxx

changed in the same file:

PasswordAuthentication no
PermitRootLogin no

If ssh doesn't work check the grp and own of .ssh/authorized_keys

install bash completion

aptitude install bash-completion

add the following to ~/.bashrc or ~/.bash_profile

if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi

Document the work done

Well, that's kind of done but the editing interface of the wiki is not yet clear to me. Few shortcut:

  • create a code box:
{code 'Enter'
  • heading
'ctrl' AND '1' XOR '2' XOR '3'
  • bullet list
'shift' AND 'ctrl' AND 'b'
  • bold, underline, italic
'ctrl' AND 'b'
'ctrl' AND 'u'
'ctrl' AND 'i'
  • save
'ctrl' AND 's'

 

Problems encountered after installation of debian

On start and halt

PROBLEM:

exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken

SOLUTION:

rm /var/log/exim4/paniclog

need to start the network manually dhclient eth0

PROBLEM: when auto eth0 added to interfaces. Nfs interfaces gets stuck on boot.

SOLUTION: there was no 'auto lo' in /etc/network/interfaces. That added plus 'auto eth0' makes it work.

2. Assignement: Install a graphic interface on Debian installation

Install Debian with nothing else than the minimum (except for laptop)

Install XOrg

apt-get install xorg

Install Gnome

apt-get install gnome-core

to test the installation:

starx

change the resolution

CTRL + ALT + '+'  and CTRL + ALT + '-'

screen the available resolution and change it

xrandr -q
wrands -s resolution

 

Install a display manager

apt-get install gdm

to start it

gdm

 

Install proprietary graphic card drivers:

If the kernel isn't compiled you need to install the kernel headers.

Check the kernel version

uname -r

Install the kernel header and link it to the linux file

apt-get install linux-header-...
rm /usr/src/linux
ln -s /usr/src/linux-header-... /usr/src/linux

Install the compilers

apt-get install gcc g++

 

 For the nvidia cards

Download the latest drivers from the nvidia website.

Stop gdm (might need a kill)

/etc/init.d/gdm stop

Install the driver

sh NVIDIA...

Don't download the kernel interface. Ask for a compilation of a new interface. Start xconfig ans restart gdm

nvidia-xconfig
/etc/init.d/gdm restart

To remove the logo in xorg.conf

Option "NoLogo" "1"

3. Assignment: Install Amanda & use it

Installation

create the directory structure for the folders to keep the backup

mkdir /mnt/backup
#mount $DISK /mnt/backup/
mkdir /mnt/backup/vtapes /mnt/backup/holding /mnt/backup/holding/sam
chown backup.disk -R /mnt/backup/* 

create the config in /etc/amanda

mkdir /etc/amanda/sam-daily
touch /etc/amanda/sam-daily/amanda.conf
touch /etc/amanda/sam-daily/disklist
chown -R backup.backup /etc/amanda/sam-daily

/etc/amanda/sam-daily/amanda.conf

org "sam"
mailto "root"
dumpcycle 7
runspercycle 5
tapecycle 30
dumpuser "backup"
tpchanger "chg-disk:/mnt/backup/vtapes/sam" # a virtual tape changer
#tapedev "/dev/nst0a" # the tapechanger
#tapedev "file:/mnt/backup/vtapes/offering"
changerfile "/var/lib/amanda/sam/changerfile"
labelstr "SAM.*"
label_new_tapes "SAM-%%"
tapetype DVD_SIZED_DISK
logdir "/var/lib/amanda/sam"
infofile "/var/lib/amanda/sam/curinfo"
indexdir "/var/lib/amanda/sam/index"
tapelist "/var/lib/amanda/sam/tapelist"
runtapes 5
#usetimestamps YES
dtimeout 3600 #seconds per client per dump
holdingdisk hd1 {
 directory "/mnt/backup/holding/sam"
}
define dumptype comp-tar {
 program "GNUTAR"
 index yes
# record no # Important! avoid interfering with production runs
 auth "bsdtcp"
 
}
define dumptype user-tar-span {
 comp-tar
 tape_splitsize 445 MB
 auth "bsd"
 #holdingdisk no
 #split_diskbuffer "/mnt/holding/diskbuffer"
 #fallback_splitsize 100M
 comment "tape-spanning user partitions dumped with tar"
 #exclude list "/etc/amanda/sam-daily/exclude-list"
}
define dumptype user-tar-span-home {
 user-tar-span
 comment "exluding all the unwanted things from /home"
# exclude list "/etc/amanda/sam-daily/exclude-list"
}
define tapetype DVD_SIZED_DISK {
 filemark 4 KB
 length 4482 MB
}
 
echo debian-server-test-sam.bluelight.av backup amdump >> /var/backups/.amandahosts

/etc/amanda/sam-daily/disklist

debian-server-test-sam.bluelight.av /etc user-tar-span
debian-server-test-sam.bluelight.av /var user-tar-span
debian-server-test-sam.bluelight.av /root user-tar-span
#debian-server-test-sam.bluelight.av /home/./all /home/ {
#user-tar-span
#exclude append "./media_no_backup"
#}

as the backup user create all the virtual tapes and label them

su backup -c "mkdir /mnt/backup/vtapes/sam"
for i in `seq 30`; do su backup -c "mkdir /mnt/backup/vtapes/sam/slot$i"; done
cd /mnt/backup/vtapes/sam && ln -s slot1 data

create the tapelist

su backup -c "mkdir /var/lib/amanda/sam"
su backup -c "touch /var/lib/amanda/sam/tapelist"

label the tapes

for i in `seq 30`; do su backup -c "/usr/sbin/amlabel sam-daily SAM-$i slot $i"; done

/root/scripts/amanda-backup (after creating the folder)

#!/bin/bash
#mount ${DISK} /mnt/backup
su backup -c "/usr/sbin/amdump sam-daily"
#sleep 5
#umount /mnt/backup
exit 0
chmod +x /root/scripts/amanda-backup

Recover (example for /etc)

In order to be able to run a recovery add the following line to /etc/amandahosts

localhost root amindexd amidxtaped

Go to the /etc folder

amrecover sam-daily
listhost
sethost  debian-server-test-sam.bluelight.av
listdisk
setdisk /etc
cd (folder name - ls works too)
add (name of the folder to recover or * for everything)    
extract
exit

 

If the backuo is restored from an external drive:

    • make sure you have /etc/amanda and /var/lib/amanda on the external drive
    • copy these 2 folders to the system to restore
    • mount --bind the folder containing the vtapes to the folder on the system which supposed to have the vtapes (cf /etc/amanda/sam-daily/amanda.conf)
    • follow the steps above

Problems encountered

...amanda.conf ...Line 54: end of line expected

SOLUTION: Press 'ENTER' at the end of the file and save.

 

4. Assignment: Weekly backup for server cupcake

First phase: Test on VirtualBox

Clone the amanda disk already created.

Do it by exporting Appliance and then import it preferably with new name.

PROBLEM: the virtual disks use the same lan card and the same MAC address.

SOLUTION: change the MAC address in VirtualBox and change it in the OS:

emacs /etc/udev/rules.d/70-persistent-net-rules

keep the interface with the new MAC address and make sure it is named eth0. Restart the OS.

Create to virtual drive and mount then on the server

Create 1 drive in virtual box and create 2 partitions:

fidsk -l
cfdisk /dev/sdb

format the partitions and mount them:

mkfs.ext3 /dev/sdb1
mkfs.ext3 /dev/sdb2
mkdir /media/backup-data
mkdir /media/backup-data2
mount -t ext3 /dev/sdb1 /media/backup-data
mount -t ext3 /dev/sdb2 /media/backup-data2

Create a daily backup of the second virtual OS

Second phase: Configure CUPCAKE 

Explanation of runscycle and other in amanda.conf

 dumpcycleruns per cycleruntapestapecycletapetype   
 The amount of days you will have a full backup (ex: every 4 weeks = 28)How many backup runs per dumpcycle (ex: every week = 4)How many tapes to use per run (ex: Biggest disklist + a bit / tapetype size = 12)How many tapes are available. The number decrease at every run. Runtapes * runs per cycle + a bit(ex: 50)defines the size of a tape (ex: DVD size: 4,5G)   
1        
2      DLE_110G
3      DLE_245G
4      DLE_31G
5        
6        
7 run12     
8        
9        
10        
11        
12        
13        
14 run12     
15        
16        
17        
18        
19        
20        
21 run12     
22        
23        
24        
25        
26        
27        
28dumpcyclerun12     

Creating the script adapted to the present situation of the server (12/2011)

#!/bin/bash
## this is to automate the amanda setup
## variables used.
SERVICE=bluelight
FREQ=-weekly # frequence of the backup
MOUNTPOINT1=/media/backup-data # mountpoint for holding
MOUNTPOINT2=/media/backup-data2 # mountpoint for backup
TAPE=`echo ${SERVICE}${FREQ} | tr [a-z] [A-Z]`
## create the directory structure for the folders to keep the backup
mkdir ${MOUNTPOINT1}/amanda ${MOUNTPOINT1}/amanda/holding ${MOUNTPOINT1}/amanda/holding/${SERVICE}${FREQ}
chown backup.disk -R ${MOUNTPOINT2}/amanda/*
chown backup.disk -R ${MOUNTPOINT1}/amanda/*
## create the config in /etc/amanda
mkdir /etc/amanda/${SERVICE}${FREQ}
touch /etc/amanda/${SERVICE}${FREQ}/amanda.conf
touch /etc/amanda/${SERVICE}${FREQ}/disklist
chown -R backup.backup /etc/amanda/${SERVICE}${FREQ}
## The config files
cat << EOF > /etc/amanda/${SERVICE}${FREQ}/amanda.conf
org "Bluelight"
mailto "bluelight@auroville.org.in"
dumpcycle 28
runspercycle 4
runtapes 15
tapecycle 60
dumpuser "backup"
tpchanger "chg-disk" # a virtual tape changer
tapedev "file:/media/backup-data2/amanda/vtapes/bluelight-weekly"
changerfile "/var/lib/amanda/bluelight-weekly/changerfile"
labelstr "BLUELIGHT-WEEKLY-.*"
#label_new_tapes "BLUELIGHT-WEEKLY-%%"
tapetype DVD_SIZED_DISK
logdir "/var/lib/amanda/bluelight-weekly"
infofile "/var/lib/amanda/bluelight-weekly/curinfo"
indexdir "/var/lib/amanda/bluelight-weekly/index"
tapelist "/var/lib/amanda/bluelight-weekly/tapelist"
holdingdisk hd1 {
 directory "/media/backup-data/amanda/holding/bluelight-weekly"
}
define dumptype comp-tar {
 program "GNUTAR"
 compress fast
 index yes
# record no # Important! avoid interfering with production runs
} 
define dumptype user-tar-span {
 comp-tar
 tape_splitsize 445 MB
 holdingdisk no
 split_diskbuffer "/media/backup-data/amanda/holding/diskbuffer"
 fallback_splitsize 100M
 comment "tape-spanning user partitions dumped with tar"
 compress none
}
define dumptype user-tar-span-home {
 user-tar-span
 comment "exluding all the unwanted things from /home"
 exclude list "/etc/exclude-list"
 compress none
}
define tapetype DVD_SIZED_DISK {
 filemark 4 KB
 length 4482 MB
}
EOF

## create the disklist
cat <<EOF > /etc/amanda/${SERVICE}${FREQ}/disklist
rose.bluelight.av /etc user-tar-span
rose.bluelight.av /root user-tar-span
rose.bluelight.av /var user-tar-span
#192.168.10.12 /home/aufilduweb/data/Entreprises/Auroville/ user-tar-span
#
#192.168.10.12 /var/www/./programming /var/www {
# user-tar-span
## auth "bsdtcp"
# include "./meeting"
# include "./act"
# include "./mm_visitor_access"
#} 2
#this section is for everything in /home
######
rose.bluelight.av /home/./bharathy /home/ {
 user-tar-span-home 
 include "./bharathy"
} 1
rose.bluelight.av /home/./juergen /home/ {
 user-tar-span-home 
 include "./juergen"
} 1
rose.bluelight.av /home/./resources /home/ {
 user-tar-span-home 
 include "./resources"
} 1
rose.bluelight.av /home/./rest /home/ {
 user-tar-span-home 
 exclude append "./bharathy"
 exclude append "./juergen"
 exclude append "./resources"
 exclude append "./backup"
 exclude append "./backup_services"
 exclude append "./rdiff-backup"
 exclude append "./classes"
 exclude append "./joy"
 exclude append "./sincerity"
 exclude append "./surrender"
 exclude append "./music"
} 1
######
EOF

## as the backup user create all the virtual tapes and label them
su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}"
for i in `seq 30`; do su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}/slot$i"; done
cd ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ} && ln -s slot1 data

## create the tapelist
su backup -c "mkdir /var/lib/amanda/${SERVICE}${FREQ}"
su backup -c "touch /var/lib/amanda/${SERVICE}${FREQ}/tapelist"

## label the tapes
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel ${SERVICE}${FREQ} ${TAPE}-$i slot $i"; done
[ -d /root/scripts ] || mkdir /root/scripts

## create the starting script
cat <<EOF > /root/scripts/amanda-${SERVICE}${FREQ}-backup
#!/bin/bash
su backup -c "/usr/sbin/amdump ${SERVICE}${FREQ}"
sleep 20
# if the machine should stay on after the backup create a file in / called no
# ie touch /no
if [ -f /no ]
then
 rm -f /no
 exit 0
else
 /sbin/halt
fi
exit 0
EOF
chmod +x /root/scripts/amanda-${SERVICE}${FREQ}-backup
exit 0

Create a crontab entry

 # m h dom mon dow command
17 12 * * 1-4 /root/scripts/backup-bluelight
17 12 * * 5 /root/scripts/backup-bluelight-weekly

changed the runscycle of the daily backup to 4 in amanda.conf

 

PROBLEM: 

amrecover bluelight-weekly
AMRECOVER Version 2.5.2p1. Contacting server on localhost ...
[request failed: timeout waiting for ACK]

SOLUTION:

amrecover bluelight-weekly -s cupcake.bluelight.av -t cupcake.bluelight.av

5. Assignment: Make a weekly -Offsite backup of the TownHall

Rdiff-backup

Install rdiff on the server and the working station.

 

apt-get install rdiff-backup

 

and create a backup folder in the server (ex: /backup/servername/)

Login using ssh key

As root on the working station create the key, do not enter any paraphrase.

ssh-keygen -t rsa

Copy the public key to the server

scp /root/.ssh/id_rsa.pub root@192.168.10.91:/root/

Write the public into the .ssh/authorized_keys of the user (in his home folder) you want to login to

cat id_rsa.pub >> /root/.ssh/authorized_keys

change in /etc/ssh/sshd_config:

PasswordAuthentication no
PermitRootLogin without-password

If ssh doesn't work check the grp and own of .ssh/authorized_keys or check the name of the file...

Create a backup list

/root/rdiff-backups/backup-list-server

/home/
- /

Create an ssh alias to access the server

/root/.ssh/config

Host backup-server
 Hostname 192.168.10.91
 User root
 Identityfile /root/.ssh/id_rsa_backup_raspberry
 Protocol 2

test the backup with:

rdiff-backup --force --include-globbing-filelist /root/rdiff-backups/backup-list-server / backup-server::/backup/raspberry/

Secure the ssh authentication

In /root/.ssh/authorized_keys add the following before 'ssh-rsa....'

command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

so the file's line looks like:

command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA[......]3UV/ root@raspberry

Command line to remove old backup

rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/

 

6. Configure a LDAP Fat Server/Client

 

https://help.ubuntu.com/community/UbuntuLTSP/FatClients

http://wiki.bluelightav.org/display/BLUE/Open+LDAP

http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/

http://ubuntuforums.org/showthread.php?t=1054966

http://ubuntuforums.org/showthread.php?t=1488232

https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html

http://ubuntuforums.org/archive/index.php/t-1156240.html

Install and configure LTSP

On the server:

if not done before configure the sources.list file to use the cache of the server:

sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list
apt-get update

Install ltsp-server-standalone:

sudo apt-get install ltsp-server-standalone

Edit the installation option of ltsp-build-client:

/etc/ltsp/ltsp-build-client.conf
# The chroot architecture. 
ARCH=i386
# ubuntu-desktop and edubuntu-desktop are tested. 
# If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK. 
# kubuntu lucid (10.10) working okay. 
FAT_CLIENT_DESKTOPS="ubuntu-desktop"
# Space separated list of programs to install. 
# The java plugin installation contained in ubuntu-restricted-extras 
# needs some special care, so let's use it as an example. 
LATE_PACKAGES=" 
 ubuntu-restricted-extras 
 gimp 
 nfs-client 
"
# This is needed to answer "yes" to the Java EULA. 
# We'll create that file in the next step. 
DEBCONF_SEEDS="/etc/ltsp/debconf.seeds"
# This uses the server apt cache to speed up downloading. 
# This locks the servers dpkg, so you can't use apt on 
# the server while building the chroot. 
MOUNT_PACKAGE_DIR="/var/cache/apt/archives/"

Create and edit the following file for the unattented Java and msttcorefonts installation:

/etc/ltsp/debconf.seeds
# Do you agree with the DLJ license terms?
sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true
sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true
# In order to install this package, you must accept the license terms, the
# "TrueType core fonts for the Web EULA ". Not accepting will cancel the
# installation. Do you accept the EULA license terms?
ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true


If LTSP is install on an Oneiric system (otherwise go to the next step):

The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.

Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.  

Open the following file and remove the word "apport" from line 43:

/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/030-fat-client

 

 Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update (smile) )

ltsp-build-client --mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu --security-mirror http://192.168.10.1:3142/security.ubuntu.com/ubuntu --updates-mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu

if this doesn't work you can always modify the configuration files:

emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors


You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it).  The parameter that affects the RAM threshold is:

FAT_RAM_THRESHOLD

that defaults to 300 (MB).  So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:

FAT_RAM_THRESHOLD=800

Another interesting feature is have a server's directory available to all the fat clients.  For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:

LOCAL_APPS_EXTRAMOUNTS=/srv

 

-------------------------

Install and configure DHCP

Configure /etc/network/interfaces

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
broadcast 192.168.2.255

cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf

emacs /etc/ltsp/dhcpd.conf

#
# Default LTSP dhcpd.conf config file.
#
#authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
 range 192.168.2.2 192.168.2.250;
 option domain-name "LSTPtest.av";
 option domain-name-servers 192.168.2.1;
 option broadcast-address 192.168.2.255;
 option routers 192.168.2.1;
# next-server 192.168.2.1;
# get-lease-hostnames true;
 option subnet-mask 255.255.255.0;
 option root-path "/opt/ltsp/i386";
 if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" {
 filename "/ltsp/i386/pxelinux.0";
 } else {
 filename "/ltsp/i386/nbi.img";
 }
}

sudo /etc/init.d/networking restart

sudo /etc/init.d/isc-dhcp-server restart

 

If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.

killall NetworkManager

 

WORKS UNTIL HERE, CLIENTS BOOT

Install and configure LDAP

Install the server dependencies

apt-get install slapd ldap-utils ldapscripts

Create /etc/ldap/frontend.bluelight.av.ldif

dn: ou=Users,dc=bluelight,dc=av
objectClass: organizationalUnit
ou: Users
dn: ou=Groups,dc=bluelight,dc=av
objectClass: organizationalUnit
ou: Groups
 
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f frontend.bluelight.av.ldif

 

If you get the error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Try to start slapd:

/etc/init.d/slapd start

If you get the credential error try to reconfigure/reinstall slapd:

rm -R slapd.d/
dpkg-reconfigure slapd

If it still doesn't work check the following file:

  • slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif 

you can also change the olcRootPW to secret

File Edit Options Buffers Tools Help 
dn: olcDatabase={1}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=bluelight,dc=av
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
 s auth by dn="cn=admin,dc=bluelight,dc=av" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=bluelight,dc=av" write by
 * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=bluelight,dc=av
olcRootPW:: e1NTSEF9ZHVjOVVVLytLcnpqMEtaRDhtWHkwMWxMcmFrUVkrN2I=
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 8cf0846c-d6d0-1030-8040-b16ccc9dfedc
creatorsName: cn=config
createTimestamp: 20120119100316Z
entryCSN: 20120119100316.322583Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20120119100316Z

 

Install the authentication for the server

apt-get install ldap-auth-client auth-client-config

This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d

We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want

 

auth-client-config -S > /etc/auth-client-config/profile.d/original-config
auth-client-config -l
auth-client-config -p lac_ldap -a

This will update the files in /etc/pam.d/ and the nsswitch.conf

 

Change in /etc/ldapscripts/ldapscripts.conf

/etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
GIDSTART="2000" # Group ID
UIDSTART="2000" # User ID
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
GETENTPWCMD=""
GETENTGRCMD=""
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

The original:

# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Note for Debian users:
# On Debian system ldapscripts will try to parse and use some system config.
# Look on commented variables and description lines started with DEBIAN.
# But you could override it's values here.

# LDAP Configuration
# DEBIAN: values from /etc/pam_ldap.conf are used.
SERVER="ldap://localhost"
BINDDN="cn=admin,dc=bluelight,dc=av"
 
# The following file contains the raw password of the binddn
# Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable
# DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used.
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
 
# For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence)
#BINDPWD="secret"
 
# DEBIAN: values from /etc/pam_ldap.conf are used.
SUFFIX="dc=bluelight,dc=av" # Global suffix
GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX)
USUFFIX="ou=Users" # Users ou (just under $SUFFIX)
MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX)
 
# Start with these IDs *if no entry found in LDAP*
GIDSTART="10000" # Group ID
UIDSTART="10000" # User ID
#MIDSTART="20000" # Machine ID
 
# User properties
# DEBIAN: values from /etc/adduser.conf are used.
#USHELL="/bin/sh"
#UHOMES="/home/%u" # You may use %u for username here
#CREATEHOMES="no" # Create home directories and set rights ?
HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant.
HOMEPERMS="700" # Default permissions for home directories
 
# User passwords generation
# Command-line used to generate a password for added users (you may use %u for username here)
# WARNING !!!! This is evaluated, everything specified here will be run !
# Special value "<ask>" will ask for a password interactively
#PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8"
#PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'"
#PASSWORDGEN="pwgen"
#PASSWORDGEN="echo changeme"
#PASSWORDGEN="echo %u"
#PASSWORDGEN="<ask>"
#PASSWORDGEN="pwgen"
 
# User passwords recording
# you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS
# (useful when performing a massive creation / net rpc vampire)
# WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE !
# WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE !
#RECORDPASSWORDS="no"
#PASSWORDFILE="/var/log/ldapscripts_passwd.log"
 
# Where to log
#LOGFILE="/var/log/ldapscripts.log"
 
# Temporary folder
#TMPDIR="/tmp"
 
# Various binaries used within the scripts
# Warning : they also use uuencode, date, grep, sed, cut, expr, which... 
# Please check they are installed before using these scripts
# Note that many of them should come with your OS
 
# OpenLDAP client commands
#LDAPSEARCHBIN="/usr/bin/ldapsearch"
#LDAPADDBIN="/usr/bin/ldapadd"
#LDAPDELETEBIN="/usr/bin/ldapdelete"
#LDAPMODIFYBIN="/usr/bin/ldapmodify"
#LDAPMODRDNBIN="/usr/bin/ldapmodrdn"
#LDAPPASSWDBIN="/usr/bin/ldappasswd"
 
# Character set conversion : $ICONVCHAR <-> UTF-8
# Comment ICONVBIN to disable UTF-8 conversion
#ICONVBIN="/usr/bin/iconv"
#ICONVCHAR="ISO-8859-15"
 
# Base64 decoding
# Comment UUDECODEBIN to disable Base64 decoding
#UUDECODEBIN="/usr/bin/uudecode"
 
# Getent command to use - choose the ones used
# on your system. Leave blank or comment for auto-guess.
# GNU/Linux
#GETENTPWCMD="getent passwd"
#GETENTGRCMD="getent group"
# FreeBSD
#GETENTPWCMD="pw usershow"
#GETENTGRCMD="pw groupshow"
# Auto
GETENTPWCMD=""
GETENTGRCMD=""
 
# You can specify custom LDIF templates here
# Leave empty to use default templates
# See *.template.sample for default templates
#GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE=""
UTEMPLATE=""
MTEMPLATE=""

 

Add a user

ldapadduser testuser users

 

Install and configure NFS

install the main packet

 

aptitude install nfs-kernel-server

and configure the shares by adding following to /etc/exports

 

/home 192.168.10.0/24(rw,async,no_subtree_check)

 

On the client:

Chroot in the client's system

 

 

 

Install and configure LDAP

following is working for clients using 8.04 and 8.10
install some software

aptitude install auth-client-config ldap-auth-client

provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av

safe following as a file in /etc/auth-client-config/profile.d/bl-ldap

/etc/auth-client-config/profile.d/bl-ldap
[bl-ldap]
nss_group=group: files ldap
nss_passwd=passwd: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: nis
pam_account=account    sufficient   pam_ldap.so
        account    required     pam_unix.so
pam_auth=auth       sufficient   pam_ldap.so
        auth       required     pam_unix.so nullok_secure use_first_pass
pam_password=password   sufficient   pam_ldap.so
        password   required     pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session    required     pam_unix.so
        session    required     pam_mkhomedir.so skel=/etc/skel/
        session    optional     pam_ldap.so
        session    optional     pam_foreground.so

safe the current settings and tell pam to use ldap

auth-client-config -S > /etc/auth-client-config/profile.d/original
auth-client-config -p bl-ldap -a

add following to /etc/security/group.conf

gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip

add following line to /etc/pam.d/gdm right before @include common-auth

auth	optional	pam_group.so

make sure that the ldap settings are correct, as specified in /etc/ldap.conf

base dc=bluelight,dc=av
uri ldap://192.168.10.1
ldap_version 3
rootbinddn cn=admin,dc=bluelight,dc=av
pam_password md5
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data

little reminder, see following grep command to strip of the comments and newlines

grep -v -e ^$ -e ^# /etc/ldap.conf

Make the client ready for nfs

install the needed packets

aptitude install nfs-client

make the fstab ready for mounting the home directory

/etc/fstab
nfsserver.bluelight.av:/home	/home	nfs	defaults	0	0
 
  • No labels