1. Assignment: Install a debian ssh server on a VirtualBox and access to it
config apt-cacher 192.168.10.1 port 3128
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list
install emacs
sudo aptitude install emacs
install config openssh server and make it work
eval `ssh-agent` exec ssh-agent bash (if ssh-add is not working)
add sam_sshkey.pub to .ssh/authorized_keys
add to /etc/ssh/sshd_config:
AllowUsers xxx
changed in the same file:
PasswordAuthentication no PermitRootLogin no
If ssh doesn't work check the grp and own of .ssh/authorized_keys
install bash completion
aptitude install bash-completion
add the following to ~/.bashrc or ~/.bash_profile
if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi
Document the work done
Well, that's kind of done but the editing interface of the wiki is not yet clear to me. Few shortcut:
- create a code box:
{code 'Enter'
- heading
'ctrl' AND '1' XOR '2' XOR '3'
- bullet list
'shift' AND 'ctrl' AND 'b'
- bold, underline, italic
'ctrl' AND 'b' 'ctrl' AND 'u' 'ctrl' AND 'i'
- save
'ctrl' AND 's'
Problems encountered after installation of debian
On start and halt
PROBLEM:
exim paniclog /var/log/exim4/paniclog has non-zero size, mail system possibly broken
SOLUTION:
rm /var/log/exim4/paniclog
need to start the network manually dhclient eth0
PROBLEM: when auto eth0 added to interfaces. Nfs interfaces gets stuck on boot.
SOLUTION: there was no 'auto lo' in /etc/network/interfaces. That added plus 'auto eth0' makes it work.
2. Assignement: Install a graphic interface on Debian installation
Install Debian with nothing else than the minimum (except for laptop)
Install XOrg
apt-get install xorg
Install Gnome
apt-get install gnome-core
to test the installation:
starx
change the resolution
CTRL + ALT + '+' and CTRL + ALT + '-'
screen the available resolution and change it
xrandr -q wrands -s resolution
Install a display manager
apt-get install gdm
to start it
gdm
Install proprietary graphic card drivers:
If the kernel isn't compiled you need to install the kernel headers.
Check the kernel version
uname -r
Install the kernel header and link it to the linux file
apt-get install linux-header-... rm /usr/src/linux ln -s /usr/src/linux-header-... /usr/src/linux
Install the compilers
apt-get install gcc g++
For the nvidia cards
Download the latest drivers from the nvidia website.
Stop gdm (might need a kill)
/etc/init.d/gdm stop
Install the driver
sh NVIDIA...
Don't download the kernel interface. Ask for a compilation of a new interface. Start xconfig ans restart gdm
nvidia-xconfig /etc/init.d/gdm restart
To remove the logo in xorg.conf
Option "NoLogo" "1"
3. Assignment: Install Amanda & use it
Installation
create the directory structure for the folders to keep the backup
mkdir /mnt/backup #mount $DISK /mnt/backup/ mkdir /mnt/backup/vtapes /mnt/backup/holding /mnt/backup/holding/sam chown backup.disk -R /mnt/backup/*
create the config in /etc/amanda
mkdir /etc/amanda/sam-daily touch /etc/amanda/sam-daily/amanda.conf touch /etc/amanda/sam-daily/disklist chown -R backup.backup /etc/amanda/sam-daily
/etc/amanda/sam-daily/amanda.conf
org "sam" mailto "root" dumpcycle 7 runspercycle 5 tapecycle 30 dumpuser "backup" tpchanger "chg-disk:/mnt/backup/vtapes/sam" # a virtual tape changer #tapedev "/dev/nst0a" # the tapechanger #tapedev "file:/mnt/backup/vtapes/offering" changerfile "/var/lib/amanda/sam/changerfile" labelstr "SAM.*" label_new_tapes "SAM-%%" tapetype DVD_SIZED_DISK logdir "/var/lib/amanda/sam" infofile "/var/lib/amanda/sam/curinfo" indexdir "/var/lib/amanda/sam/index" tapelist "/var/lib/amanda/sam/tapelist" runtapes 5 #usetimestamps YES dtimeout 3600 #seconds per client per dump holdingdisk hd1 { directory "/mnt/backup/holding/sam" } define dumptype comp-tar { program "GNUTAR" index yes # record no # Important! avoid interfering with production runs auth "bsdtcp" } define dumptype user-tar-span { comp-tar tape_splitsize 445 MB auth "bsd" #holdingdisk no #split_diskbuffer "/mnt/holding/diskbuffer" #fallback_splitsize 100M comment "tape-spanning user partitions dumped with tar" #exclude list "/etc/amanda/sam-daily/exclude-list" } define dumptype user-tar-span-home { user-tar-span comment "exluding all the unwanted things from /home" # exclude list "/etc/amanda/sam-daily/exclude-list" } define tapetype DVD_SIZED_DISK { filemark 4 KB length 4482 MB }
echo debian-server-test-sam.bluelight.av backup amdump >> /var/backups/.amandahosts
/etc/amanda/sam-daily/disklist
debian-server-test-sam.bluelight.av /etc user-tar-span debian-server-test-sam.bluelight.av /var user-tar-span debian-server-test-sam.bluelight.av /root user-tar-span #debian-server-test-sam.bluelight.av /home/./all /home/ { #user-tar-span #exclude append "./media_no_backup" #}
as the backup user create all the virtual tapes and label them
su backup -c "mkdir /mnt/backup/vtapes/sam" for i in `seq 30`; do su backup -c "mkdir /mnt/backup/vtapes/sam/slot$i"; done cd /mnt/backup/vtapes/sam && ln -s slot1 data
create the tapelist
su backup -c "mkdir /var/lib/amanda/sam" su backup -c "touch /var/lib/amanda/sam/tapelist"
label the tapes
for i in `seq 30`; do su backup -c "/usr/sbin/amlabel sam-daily SAM-$i slot $i"; done
/root/scripts/amanda-backup (after creating the folder)
#!/bin/bash #mount ${DISK} /mnt/backup su backup -c "/usr/sbin/amdump sam-daily" #sleep 5 #umount /mnt/backup exit 0
chmod +x /root/scripts/amanda-backup
Recover
Create the directory where the recovery should be dumped in: /mnt/recovery
In order to be able to run a recovery add the following line to /etc/amandahosts
localhost root amindexd amidxtaped
Go to the /mnt/recovery folder
amrecover sam-daily listhost sethost debian-server-test-sam.bluelight.av listdisk setdisk /etc cd (folder name - ls works too) add (name of the folder to recover or * for everything) extract exit
Problems encountered
...amanda.conf ...Line 54: end of line expected
SOLUTION: Press 'ENTER' at the end of the file and save.
4. Assignment: Weekly backup for server cupcake
First phase: Test on VirtualBox
Clone the amanda disk already created.
Do it by exporting Appliance and then import it preferably with new name.
PROBLEM: the virtual disks use the same lan card and the same MAC address.
SOLUTION: change the MAC address in VirtualBox and change it in the OS:
emacs /etc/udev/rules.d/70-persistent-net-rules
keep the interface with the new MAC address and make sure it is named eth0. Restart the OS.
Create to virtual drive and mount then on the server
Create 1 drive in virtual box and create 2 partitions:
fidsk -l cfdisk /dev/sdb
format the partitions and mount them:
mkfs.ext3 /dev/sdb1 mkfs.ext3 /dev/sdb2 mkdir /media/backup-data mkdir /media/backup-data2 mount -t ext3 /dev/sdb1 /media/backup-data mount -t ext3 /dev/sdb2 /media/backup-data2
Create a daily backup of the second virtual OS
Second phase: Configure CUPCAKE
Explanation of runscycle and other in amanda.conf
dumpcycle | runs per cycle | runtapes | tapecycle | tapetype | ||||
The amount of days you will have a full backup (ex: every 4 weeks = 28) | How many backup runs per dumpcycle (ex: every week = 4) | How many tapes to use per run (ex: Biggest disklist + a bit / tapetype size = 12) | How many tapes are available. The number decrease at every run. Runtapes * runs per cycle + a bit(ex: 50) | defines the size of a tape (ex: DVD size: 4,5G) | ||||
1 | ||||||||
2 | DLE_1 | 10G | ||||||
3 | DLE_2 | 45G | ||||||
4 | DLE_3 | 1G | ||||||
5 | ||||||||
6 | ||||||||
7 | run | 12 | ||||||
8 | ||||||||
9 | ||||||||
10 | ||||||||
11 | ||||||||
12 | ||||||||
13 | ||||||||
14 | run | 12 | ||||||
15 | ||||||||
16 | ||||||||
17 | ||||||||
18 | ||||||||
19 | ||||||||
20 | ||||||||
21 | run | 12 | ||||||
22 | ||||||||
23 | ||||||||
24 | ||||||||
25 | ||||||||
26 | ||||||||
27 | ||||||||
28 | dumpcycle | run | 12 |
Creating the script adapted to the present situation of the server (12/2011)
#!/bin/bash ## this is to automate the amanda setup ## variables used. SERVICE=bluelight FREQ=-weekly # frequence of the backup MOUNTPOINT1=/media/backup-data # mountpoint for holding MOUNTPOINT2=/media/backup-data2 # mountpoint for backup TAPE=`echo ${SERVICE}${FREQ} | tr [a-z] [A-Z]` ## create the directory structure for the folders to keep the backup mkdir ${MOUNTPOINT1}/amanda ${MOUNTPOINT1}/amanda/holding ${MOUNTPOINT1}/amanda/holding/${SERVICE}${FREQ} chown backup.disk -R ${MOUNTPOINT2}/amanda/* chown backup.disk -R ${MOUNTPOINT1}/amanda/* ## create the config in /etc/amanda mkdir /etc/amanda/${SERVICE}${FREQ} touch /etc/amanda/${SERVICE}${FREQ}/amanda.conf touch /etc/amanda/${SERVICE}${FREQ}/disklist chown -R backup.backup /etc/amanda/${SERVICE}${FREQ} ## The config files cat << EOF > /etc/amanda/${SERVICE}${FREQ}/amanda.conf org "Bluelight" mailto "bluelight@auroville.org.in" dumpcycle 28 runspercycle 4 runtapes 15 tapecycle 60 dumpuser "backup" tpchanger "chg-disk" # a virtual tape changer tapedev "file:/media/backup-data2/amanda/vtapes/bluelight-weekly" changerfile "/var/lib/amanda/bluelight-weekly/changerfile" labelstr "BLUELIGHT-WEEKLY-.*" #label_new_tapes "BLUELIGHT-WEEKLY-%%" tapetype DVD_SIZED_DISK logdir "/var/lib/amanda/bluelight-weekly" infofile "/var/lib/amanda/bluelight-weekly/curinfo" indexdir "/var/lib/amanda/bluelight-weekly/index" tapelist "/var/lib/amanda/bluelight-weekly/tapelist" holdingdisk hd1 { directory "/media/backup-data/amanda/holding/bluelight-weekly" } define dumptype comp-tar { program "GNUTAR" compress fast index yes # record no # Important! avoid interfering with production runs } define dumptype user-tar-span { comp-tar tape_splitsize 445 MB holdingdisk no split_diskbuffer "/media/backup-data/amanda/holding/diskbuffer" fallback_splitsize 100M comment "tape-spanning user partitions dumped with tar" compress none } define dumptype user-tar-span-home { user-tar-span comment "exluding all the unwanted things from /home" exclude list "/etc/exclude-list" compress none } define tapetype DVD_SIZED_DISK { filemark 4 KB length 4482 MB } EOF ## create the disklist cat <<EOF > /etc/amanda/${SERVICE}${FREQ}/disklist rose.bluelight.av /etc user-tar-span rose.bluelight.av /root user-tar-span rose.bluelight.av /var user-tar-span #192.168.10.12 /home/aufilduweb/data/Entreprises/Auroville/ user-tar-span # #192.168.10.12 /var/www/./programming /var/www { # user-tar-span ## auth "bsdtcp" # include "./meeting" # include "./act" # include "./mm_visitor_access" #} 2 #this section is for everything in /home ###### rose.bluelight.av /home/./bharathy /home/ { user-tar-span-home include "./bharathy" } 1 rose.bluelight.av /home/./juergen /home/ { user-tar-span-home include "./juergen" } 1 rose.bluelight.av /home/./resources /home/ { user-tar-span-home include "./resources" } 1 rose.bluelight.av /home/./rest /home/ { user-tar-span-home exclude append "./bharathy" exclude append "./juergen" exclude append "./resources" exclude append "./backup" exclude append "./backup_services" exclude append "./rdiff-backup" exclude append "./classes" exclude append "./joy" exclude append "./sincerity" exclude append "./surrender" exclude append "./music" } 1 ###### EOF ## as the backup user create all the virtual tapes and label them su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}" for i in `seq 30`; do su backup -c "mkdir ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ}/slot$i"; done cd ${MOUNTPOINT2}/amanda/vtapes/${SERVICE}${FREQ} && ln -s slot1 data ## create the tapelist su backup -c "mkdir /var/lib/amanda/${SERVICE}${FREQ}" su backup -c "touch /var/lib/amanda/${SERVICE}${FREQ}/tapelist" ## label the tapes for i in `seq 30`; do su backup -c "/usr/sbin/amlabel ${SERVICE}${FREQ} ${TAPE}-$i slot $i"; done [ -d /root/scripts ] || mkdir /root/scripts ## create the starting script cat <<EOF > /root/scripts/amanda-${SERVICE}${FREQ}-backup #!/bin/bash su backup -c "/usr/sbin/amdump ${SERVICE}${FREQ}" sleep 20 # if the machine should stay on after the backup create a file in / called no # ie touch /no if [ -f /no ] then rm -f /no exit 0 else /sbin/halt fi exit 0 EOF chmod +x /root/scripts/amanda-${SERVICE}${FREQ}-backup exit 0
Create a crontab entry
# m h dom mon dow command 17 12 * * 1-4 /root/scripts/backup-bluelight 17 12 * * 5 /root/scripts/backup-bluelight-weekly
changed the runscycle of the daily backup to 4 in amanda.conf
PROBLEM:
amrecover bluelight-weekly
AMRECOVER Version 2.5.2p1. Contacting server on localhost ... [request failed: timeout waiting for ACK]
SOLUTION:
amrecover bluelight-weekly -s cupcake.bluelight.av -t cupcake.bluelight.av
5. Assignment: Make a weekly -Offsite backup of the TownHall
Rdiff-backup
Install rdiff on the server and the working station.
apt-get install rdiff-backup
and create a backup folder in the server (ex: /backup/servername/)
Login using ssh key
As root on the working station create the key, do not enter any paraphrase.
ssh-keygen -t rsa
Copy the public key to the server
scp /root/.ssh/id_rsa.pub root@192.168.10.91:/root/
Write the public into the .ssh/authorized_keys of the user (in his home folder) you want to login to
cat id_rsa.pub >> /root/.ssh/authorized_keys
change in /etc/ssh/sshd_config:
PasswordAuthentication no PermitRootLogin without-password
If ssh doesn't work check the grp and own of .ssh/authorized_keys or check the name of the file...
Create a backup list
/root/rdiff-backups/backup-list-server
/home/ - /
Create an ssh alias to access the server
/root/.ssh/config
Host backup-server Hostname 192.168.10.91 User root Identityfile /root/.ssh/id_rsa_backup_raspberry Protocol 2
test the backup with:
rdiff-backup --force --include-globbing-filelist /root/rdiff-backups/backup-list-server / backup-server::/backup/raspberry/
Secure the ssh authentication
In /root/.ssh/authorized_keys add the following before 'ssh-rsa....'
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
so the file's line looks like:
command="rdiff-backup --server",from="raspberry.bluelight.av",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA[......]3UV/ root@raspberry
Command line to remove old backup
rdiff-backup --remove-older-than 2W backup-server::/backup/raspberry/
6. Configure a LDAP Fat Server/Client
https://help.ubuntu.com/community/UbuntuLTSP/FatClients
http://wiki.bluelightav.org/display/BLUE/Open+LDAP
http://www.danbishop.org/2011/05/01/ubuntu-11-04-sbs-small-business-server-setup-part-3-openldap/
http://ubuntuforums.org/showthread.php?t=1054966
http://ubuntuforums.org/showthread.php?t=1488232
https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html
http://ubuntuforums.org/archive/index.php/t-1156240.html
Install and configure LTSP
On the server:
if not done before configure the sources.list file to use the cache of the server:
sed -i 's#http://#http://192.168.10.1:3142/#g' /etc/apt/sources.list sed -i 's#http:/#http://192.168.10.1:3142/#g' /etc/apt/sources.list.d/medibuntu.list apt-get update
Install ltsp-server-standalone:
sudo apt-get install ltsp-server-standalone
Edit the installation option of ltsp-build-client:
# The chroot architecture. ARCH=i386 # ubuntu-desktop and edubuntu-desktop are tested. # If you test with [k|x]ubuntu-desktop, edit this page and mention if it worked OK. # kubuntu lucid (10.10) working okay. FAT_CLIENT_DESKTOPS="ubuntu-desktop" # Space separated list of programs to install. # The java plugin installation contained in ubuntu-restricted-extras # needs some special care, so let's use it as an example. LATE_PACKAGES=" ubuntu-restricted-extras gimp nfs-client " # This is needed to answer "yes" to the Java EULA. # We'll create that file in the next step. DEBCONF_SEEDS="/etc/ltsp/debconf.seeds" # This uses the server apt cache to speed up downloading. # This locks the servers dpkg, so you can't use apt on # the server while building the chroot. MOUNT_PACKAGE_DIR="/var/cache/apt/archives/"
Create and edit the following file for the unattented Java and msttcorefonts installation:
# Do you agree with the DLJ license terms? sun-java6-bin shared/accepted-sun-dlj-v1-1 boolean true sun-java6-jre shared/accepted-sun-dlj-v1-1 boolean true # In order to install this package, you must accept the license terms, the # "TrueType core fonts for the Web EULA ". Not accepting will cancel the # installation. Do you accept the EULA license terms? ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula boolean true
If LTSP is install on an Oneiric system (otherwise go to the next step):
The fat client plugin blacklists some packages that don't make sense to have in a fat client chroot.
Unfortunately in Oneiric xdiagnose depends on one of those packages, apport, so the fat client plugin needs to be manually edited for ltsp-build-client to complete successfully.
Open the following file and remove the word "apport" from line 43:
/usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/030-fat-client
Build the client (even if using the cache of the server some of the files will be downloaded on the internet, if a solution is found please update )
ltsp-build-client --mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu --security-mirror http://192.168.10.1:3142/security.ubuntu.com/ubuntu --updates-mirror http://192.168.10.1:3142/archive.ubuntu.com/ubuntu
if this doesn't work you can always modify the configuration files:
emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/000-basic-configuration emacs /usr/share/ltsp/plugins/ltsp-build-client/Ubuntu/010-updates-mirrors
You can use the fat chroot also to run thin clients, not only fat ones. This way you can have a mix of powerful and not powerful clients, that they will become "fat" or "thin" based upon their RAM (consider fat chroot a "superset" of a thin one, so thin boot uses only a small but common part of it). The parameter that affects the RAM threshold is:
FAT_RAM_THRESHOLD
that defaults to 300 (MB). So if you want your client boot as FAT ones only if they have more than 800MB edit lts.conf and put:
FAT_RAM_THRESHOLD=800
Another interesting feature is have a server's directory available to all the fat clients. For instance, to have the fat clients mount as their own /srv the /srv of the server add this parameter:
LOCAL_APPS_EXTRAMOUNTS=/srv
-------------------------
Install and configure DHCP
Configure /etc/network/interfaces
auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
cp /etc/ltsp/dhcpd.conf /etc/ltsp/dhcpd-backup.conf
emacs /etc/ltsp/dhcpd.conf
# # Default LTSP dhcpd.conf config file. # #authoritative; subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.2 192.168.2.250; option domain-name "LSTPtest.av"; option domain-name-servers 192.168.2.1; option broadcast-address 192.168.2.255; option routers 192.168.2.1; # next-server 192.168.2.1; # get-lease-hostnames true; option subnet-mask 255.255.255.0; option root-path "/opt/ltsp/i386"; if substring( option vendor-class-identifier, 0, 9 ) = "PXEClient" { filename "/ltsp/i386/pxelinux.0"; } else { filename "/ltsp/i386/nbi.img"; } }
sudo /etc/init.d/networking restart
sudo /etc/init.d/isc-dhcp-server restart
If problems kill NetworkManager or even uninstall it as it interfere with the dhcp config.
killall NetworkManager
WORKS UNTIL HERE, CLIENTS BOOT
Install and configure LDAP
Install the server dependencies
apt-get install slapd ldap-utils ldapscripts
Create /etc/ldap/frontend.bluelight.av.ldif
dn: ou=Users,dc=bluelight,dc=av objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=bluelight,dc=av objectClass: organizationalUnit ou: Groups
ldapadd -x -D cn=admin,dc=bluelight,dc=av -W -f frontend.bluelight.av.ldif
If you get the error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Try to start slapd:
/etc/init.d/slapd start
If you get the credential error try to reconfigure/reinstall slapd:
rm -R slapd.d/ dpkg-reconfigure slapd
If it still doesn't work check the following file:
- slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
you can also change the olcRootPW to secret
File Edit Options Buffers Tools Help dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=bluelight,dc=av olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=bluelight,dc=av" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=bluelight,dc=av" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=bluelight,dc=av olcRootPW:: e1NTSEF9ZHVjOVVVLytLcnpqMEtaRDhtWHkwMWxMcmFrUVkrN2I= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 8cf0846c-d6d0-1030-8040-b16ccc9dfedc creatorsName: cn=config createTimestamp: 20120119100316Z entryCSN: 20120119100316.322583Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120119100316Z
Install the authentication for the server
apt-get install ldap-auth-client auth-client-config
This is done with a simple migration tool called auth-client-config.
The configuration is done via its profiles which are stored in /etc/auth-client-config/profile.d
We can list the existing profiles with and safe the current, untouched configuration and set our profile to the one we want
auth-client-config -S > /etc/auth-client-config/profile.d/original-config auth-client-config -l auth-client-config -p lac_ldap -a
This will update the files in /etc/pam.d/ and the nsswitch.conf
Change in /etc/ldapscripts/ldapscripts.conf
SERVER="ldap://localhost" BINDDN="cn=admin,dc=bluelight,dc=av" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX="dc=bluelight,dc=av" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) GIDSTART="2000" # Group ID UIDSTART="2000" # User ID HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. HOMEPERMS="700" # Default permissions for home directories GETENTPWCMD="" GETENTGRCMD="" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
The original:
# Copyright (C) 2005 Gana�l LAPLANCHE - Linagora # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Note for Debian users: # On Debian system ldapscripts will try to parse and use some system config. # Look on commented variables and description lines started with DEBIAN. # But you could override it's values here. # LDAP Configuration # DEBIAN: values from /etc/pam_ldap.conf are used. SERVER="ldap://localhost" BINDDN="cn=admin,dc=bluelight,dc=av" # The following file contains the raw password of the binddn # Create it with something like : echo -n 'secret' > $BINDPWDFILE # WARNING !!!! Be careful not to make this file world-readable # DEBIAN: /etc/pam_ldap.secret or /etc/ldap.secret are used. BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" # For older versions of OpenLDAP, it is still possible to use # unsecure command-line passwords by defining the following option # AND commenting the previous one (BINDPWDFILE takes precedence) #BINDPWD="secret" # DEBIAN: values from /etc/pam_ldap.conf are used. SUFFIX="dc=bluelight,dc=av" # Global suffix GSUFFIX="ou=Groups" # Groups ou (just under $SUFFIX) USUFFIX="ou=Users" # Users ou (just under $SUFFIX) MSUFFIX="ou=Machines" # Machines ou (just under $SUFFIX) # Start with these IDs *if no entry found in LDAP* GIDSTART="10000" # Group ID UIDSTART="10000" # User ID #MIDSTART="20000" # Machine ID # User properties # DEBIAN: values from /etc/adduser.conf are used. #USHELL="/bin/sh" #UHOMES="/home/%u" # You may use %u for username here #CREATEHOMES="no" # Create home directories and set rights ? HOMESKEL="/etc/skel" # Directory where the skeleton files are located. Ignored if undefined or nonexistant. HOMEPERMS="700" # Default permissions for home directories # User passwords generation # Command-line used to generate a password for added users (you may use %u for username here) # WARNING !!!! This is evaluated, everything specified here will be run ! # Special value "<ask>" will ask for a password interactively #PASSWORDGEN="cat /dev/random | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c8" #PASSWORDGEN="head -c8 /dev/random | uuencode -m - | sed -n '2s|=*$||;2p' | sed -e 's|+||g' -e 's|/||g'" #PASSWORDGEN="pwgen" #PASSWORDGEN="echo changeme" #PASSWORDGEN="echo %u" #PASSWORDGEN="<ask>" #PASSWORDGEN="pwgen" # User passwords recording # you can keep trace of generated passwords setting PASSWORDFILE and RECORDPASSWORDS # (useful when performing a massive creation / net rpc vampire) # WARNING !!!! DO NOT FORGET TO DELETE THE GENERATED FILE WHEN DONE ! # WARNING !!!! DO NOT FORGET TO TURN OFF RECORDING WHEN DONE ! #RECORDPASSWORDS="no" #PASSWORDFILE="/var/log/ldapscripts_passwd.log" # Where to log #LOGFILE="/var/log/ldapscripts.log" # Temporary folder #TMPDIR="/tmp" # Various binaries used within the scripts # Warning : they also use uuencode, date, grep, sed, cut, expr, which... # Please check they are installed before using these scripts # Note that many of them should come with your OS # OpenLDAP client commands #LDAPSEARCHBIN="/usr/bin/ldapsearch" #LDAPADDBIN="/usr/bin/ldapadd" #LDAPDELETEBIN="/usr/bin/ldapdelete" #LDAPMODIFYBIN="/usr/bin/ldapmodify" #LDAPMODRDNBIN="/usr/bin/ldapmodrdn" #LDAPPASSWDBIN="/usr/bin/ldappasswd" # Character set conversion : $ICONVCHAR <-> UTF-8 # Comment ICONVBIN to disable UTF-8 conversion #ICONVBIN="/usr/bin/iconv" #ICONVCHAR="ISO-8859-15" # Base64 decoding # Comment UUDECODEBIN to disable Base64 decoding #UUDECODEBIN="/usr/bin/uudecode" # Getent command to use - choose the ones used # on your system. Leave blank or comment for auto-guess. # GNU/Linux #GETENTPWCMD="getent passwd" #GETENTGRCMD="getent group" # FreeBSD #GETENTPWCMD="pw usershow" #GETENTGRCMD="pw groupshow" # Auto GETENTPWCMD="" GETENTGRCMD="" # You can specify custom LDIF templates here # Leave empty to use default templates # See *.template.sample for default templates #GTEMPLATE="/path/to/ldapaddgroup.template" #UTEMPLATE="/path/to/ldapadduser.template" #MTEMPLATE="/path/to/ldapaddmachine.template" GTEMPLATE="" UTEMPLATE="" MTEMPLATE=""
Add a user
ldapadduser testuser users
Install and configure NFS
install the main packet
aptitude install nfs-kernel-server
and configure the shares by adding following to /etc/exports
/home 192.168.10.0/24(rw,async,no_subtree_check)
On the client:
Chroot in the client's system
Install and configure LDAP
following is working for clients using 8.04 and 8.10
install some software
aptitude install auth-client-config ldap-auth-client
provide the uri for the ldap server: ldap://192.168.10.1
provide the distinguished name: dc=bluelight,dc=av
LDAP version 3
Make local root database: yes
Does the LDAP database require login? no
LDAP account for root: cn=admin,dc=bluelight,dc=av
safe following as a file in /etc/auth-client-config/profile.d/bl-ldap
[bl-ldap] nss_group=group: files ldap nss_passwd=passwd: files ldap nss_shadow=shadow: files ldap nss_netgroup=netgroup: nis pam_account=account sufficient pam_ldap.so account required pam_unix.so pam_auth=auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass pam_password=password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 pam_session=session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ session optional pam_ldap.so session optional pam_foreground.so
safe the current settings and tell pam to use ldap
auth-client-config -S > /etc/auth-client-config/profile.d/original auth-client-config -p bl-ldap -a
add following to /etc/security/group.conf
gdm;*;*;Al0000-2400;plugdev,fuse,scanner,video,audio,lpadmin,cdrom,dip
add following line to /etc/pam.d/gdm right before @include common-auth
auth optional pam_group.so
make sure that the ldap settings are correct, as specified in /etc/ldap.conf
base dc=bluelight,dc=av uri ldap://192.168.10.1 ldap_version 3 rootbinddn cn=admin,dc=bluelight,dc=av pam_password md5 nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,daemon,dhcpd,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,nbd,news,polkituser,proxy,pulse,root,saned,sshd,statd,sync,sys,syslog,uucp,www-data
little reminder, see following grep command to strip of the comments and newlines
grep -v -e ^$ -e ^# /etc/ldap.conf
Make the client ready for nfs
install the needed packets
aptitude install nfs-client
make the fstab ready for mounting the home directory
nfsserver.bluelight.av:/home /home nfs defaults 0 0