Ubuntu 10.04 LTS User Manual

Ubuntu Server Guide

Abstract

Welcome to the Ubuntu Server Guide! It contains information on how to install and configure various server applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring and customizing your system.

Credits and License

This document is maintained by the Ubuntu documentation team (https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors, see the contributors page

This document is made available under the Creative Commons ShareAlike 2.5 License (CC-BY-SA).

You are free to modify, extend, and improve the Ubuntu documentation source code under the terms of this license. All derivative works must be released under this license.

This documentation is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER.

A copy of the license is available here: Creative Commons ShareAlike License2.

https://launchpad.net/~ubuntu-core-doc

../../libs/C/contributors.xml

/usr/share/ubuntu-docs/libs/C/ccbysa.xml

1. Introduction ........................................................................................................................... 1

1. Support .......................................................................................................................... 2

2. Installation ............................................................................................................................. 3

1. Preparing to Install ......................................................................................................... 4

2. Installing from CD ......................................................................................................... 6

3. Upgrading ...................................................................................................................... 9

4. Advanced Installation ................................................................................................... 10

3. Package Management ........................................................................................................... 17

1. Introduction ................................................................................................................. 18

2. dpkg ............................................................................................................................ 19

3. Apt-Get ........................................................................................................................ 20

4. Aptitude ....................................................................................................................... 22

5. Automatic Updates ....................................................................................................... 24

6. Configuration ............................................................................................................... 26

7. References ................................................................................................................... 28

4. Networking .......................................................................................................................... 29

1. Network Configuration ................................................................................................. 30

2. TCP/IP ......................................................................................................................... 38

3. Dynamic Host Configuration Protocol (DHCP) .............................................................. 42

4. Time Synchronisation with NTP ................................................................................... 45

5. Remote Administration ......................................................................................................... 47

1. OpenSSH Server .......................................................................................................... 48

2. eBox ............................................................................................................................ 51

6. Network Authentication ........................................................................................................ 54

1. OpenLDAP Server ....................................................................................................... 55

2. Samba and LDAP ........................................................................................................ 74

3. Kerberos ...................................................................................................................... 79

4. Kerberos and LDAP ..................................................................................................... 86

7. Domain Name Service (DNS) ............................................................................................... 92

1. Installation ................................................................................................................... 93

2. Configuration ............................................................................................................... 94

3. Troubleshooting ........................................................................................................... 99

4. References ................................................................................................................. 103

8. Security ............................................................................................................................. 104

1. User Management ....................................................................................................... 105

2. Console Security ........................................................................................................ 111

3. Firewall ...................................................................................................................... 112

4. AppArmor .................................................................................................................. 119

5. Certificates ................................................................................................................. 123

6. eCryptfs ..................................................................................................................... 128

iii

Ubuntu Server Guide

9. Monitoring ......................................................................................................................... 130

1. Overview ................................................................................................................... 131

2. Nagios ....................................................................................................................... 132

3. Munin ........................................................................................................................ 136

10. Web Servers ..................................................................................................................... 138

1. HTTPD - Apache2 Web Server ................................................................................... 139

2. PHP5 - Scripting Language ......................................................................................... 146

3. Squid - Proxy Server .................................................................................................. 148

4. Ruby on Rails ............................................................................................................ 150

5. Apache Tomcat .......................................................................................................... 152

11. Databases ......................................................................................................................... 156

1. MySQL ...................................................................................................................... 157

2. PostgreSQL ................................................................................................................ 159

12. LAMP Applications .......................................................................................................... 161

1. Overview ................................................................................................................... 162

2. Moin Moin ................................................................................................................. 163

3. MediaWiki ................................................................................................................. 165

4. phpMyAdmin ............................................................................................................. 167

13. File Servers ...................................................................................................................... 169

1. FTP Server ................................................................................................................. 170

2. Network File System (NFS) ........................................................................................ 174

3. CUPS - Print Server ................................................................................................... 176

14. Email Services .................................................................................................................. 179

1. Postfix ....................................................................................................................... 180

2. Exim4 ........................................................................................................................ 187

3. Dovecot Server ........................................................................................................... 190

4. Mailman .................................................................................................................... 192

5. Mail Filtering ............................................................................................................. 198

15. Chat Applications ............................................................................................................. 204

1. Overview ................................................................................................................... 205

2. IRC Server ................................................................................................................. 206

3. Jabber Instant Messaging Server .................................................................................. 208

16. Version Control System .................................................................................................... 210

1. Bazaar ........................................................................................................................ 211

2. Subversion ................................................................................................................. 212

3. CVS Server ................................................................................................................ 217

4. References ................................................................................................................. 219

17. Windows Networking ....................................................................................................... 220

1. Introduction ................................................................................................................ 221

2. Samba File Server ...................................................................................................... 222

3. Samba Print Server ..................................................................................................... 224

4. Securing a Samba File and Print Server ....................................................................... 226

Ubuntu Server Guide

5. Samba as a Domain Controller .................................................................................... 230

6. Samba Active Directory Integration ............................................................................. 234

7. Likewise Open ........................................................................................................... 236

18. Backups ........................................................................................................................... 240

1. Shell Scripts ............................................................................................................... 241

2. Archive Rotation ........................................................................................................ 245

3. Bacula ........................................................................................................................ 248

19. Virtualization .................................................................................................................... 253

1. libvirt ......................................................................................................................... 254

2. JeOS and vmbuilder ................................................................................................... 259

3. UEC .......................................................................................................................... 269

4. OpenNebula ............................................................................................................... 278

20. Clustering ......................................................................................................................... 281

1. DRBD ........................................................................................................................ 282

21. VPN ................................................................................................................................. 285

1. OpenVPN .................................................................................................................. 286

22. Other Useful Applications ................................................................................................. 290

1. pam_motd .................................................................................................................. 291

2. etckeeper .................................................................................................................... 293

3. Byobu ........................................................................................................................ 295

4. References ................................................................................................................. 297

A. Appendix .......................................................................................................................... 298

1. Reporting Bugs in Ubuntu Server Edition .................................................................... 299

List of Tables

2.1. Recommended Minimum Requirements ................................................................................ 4

16.1. Access Methods ............................................................................................................. 213

19.1. UEC Front End Requirements ........................................................................................ 269

19.2. UEC Node Requirements ............................................................................................... 270

Chapter 1. Introduction

Welcome to the Ubuntu Server Guide!

Here you can find information on how to install and configure various server applications. It is a stepby-step, task-oriented guide for configuring and customizing your system.

This guide assumes you have a basic understanding of your Ubuntu system. Some installation details are covered in Chapter 2, Installation [p. 3], but if you need detailed instructions installing Ubuntu please refer to the Ubuntu Installation Guide1.

A HTML version of the manual is available online at the Ubuntu Documentation website2. The HTML files are also available in the ubuntu-serverguide package. See Chapter 3, Package Management [p. 17] for details on installing packages.

If you choose to install the ubuntu-serverguide you can view this document from a console by:

w3m /usr/share/ubuntu-serverguide/html/C/index.html

If you are using a localized version of Ubuntu, replace C with your language localization (e.g. en_GB).

https://help.ubuntu.com/10.04 LTS/installation-guide/

http://help.ubuntu.com

Introduction

1. Support

There are a couple of different ways that Ubuntu Server Edition is supported, commercial support and community support. The main commercial support (and development funding) is available from Canonical Ltd. They supply reasonably priced support contracts on a per desktop or per server basis. For more information see the Canonical Services3 page.

Community support is also provided by dedicated individuals, and companies, that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions. See the Ubuntu

Support4 page for more information.

http://www.canonical.com/services/support

http://www.ubuntu.com/support

Chapter 2. Installation

This chapter provides a quick overview of installing Ubuntu 10.04 LTS Server Edition. For more detailed instructions, please refer to the Ubuntu Installation Guide1.

https://help.ubuntu.com/10.04 LTS/installation-guide/

Installation

1. Preparing to Install

This section explains various aspects to consider before starting the installation.

1.1. System Requirements

Ubuntu 10.04 LTS Server Edition supports two (2) major architectures: Intel x86 and AMD64. The table below lists recommended hardware specifications. Depending on your needs, you might manage with less than this. However, most users risk being frustrated if they ignore these suggestions.

Table 2.1. Recommended Minimum Requirements

Hard Drive Space

Install Type RAM

Server 128 megabytes 500

The Server Edition provides a common base for all sorts of server applications. It is a minimalist design providing a platform for the desired services, such as file/print services, web hosting, email hosting, etc.

The requirements for UEC are slightly different for Front End requirements see Section 3.2.1,

“Front End Requirements” [p. 269] and for UEC Node requirements see Section 3.2.2, “Node Requirements” [p. 270].

Base

All Tasks Installed

System

1 gigabyte

megabytes

1.2. Server and Desktop Differences

There are a few differences between the Ubuntu Server Edition and the Ubuntu Desktop Edition. It should be noted that both editions use the same apt repositories. Making it just as easy to install a server application on the Desktop Edition as it is on the Server Edition.

The differences between the two editions are the lack of an X window environment in the Server Edition, the installation process, and different Kernel options.

1.2.1. Kernel Differences:

• The Server Edition uses the Deadline I/O scheduler instead of the CFQ scheduler used by the Desktop Edition.

• Preemption is turned off in the Server Edition.

• The timer interrupt is 100 Hz in the Server Edition and 250 Hz in the Desktop Edition.

When running a 64-bit version of Ubuntu on 64-bit processors you are not limited by memory addressing space.

Installation

To see all kernel configuration options you can look through /boot/config-2.6.31-server. Also,

Linux Kernel in a Nutshell2 is a great resource on the options available.

1.3. Backing Up

• Before installing Ubuntu Server Edition you should make sure all data on the system is backed up. See Chapter 18, Backups [p. 240] for backup options.

If this is not the first time an operating system has been installed on your computer, it is likely you will need to re-partition your disk to make room for Ubuntu.

Any time you partition your disk, you should be prepared to lose everything on the disk should you make a mistake or something goes wrong during partitioning. The programs used in installation are quite reliable, most have seen years of use, but they also perform destructive actions.

http://www.kroah.com/lkn/

Installation

2. Installing from CD

The basic steps to install Ubuntu Server Edition from CD are the same for installing any operating system from CD. Unlike the Desktop Edition the Server Edition does not include a graphical installation program. Instead the Server Edition uses a console menu based process.

• First, download and burn the appropriate ISO file from the Ubuntu web site3.

• Boot the system from the CD-ROM drive.

• At the boot prompt you will be asked to select the language. Afterwards the installation process begins by asking for your keyboard layout.

• From the main boot menu there are some additional options to install Ubuntu Server Edition. You can install a basic Ubuntu Server, or install Ubuntu Server as part of a Ubuntu Enterprise Cloud. For more information on UEC see Section 3, “UEC” [p. 269]. The rest of this section will cover the basic Ubuntu Server install.

• The installer then discovers your hardware configuration, and configures the network settings using DHCP. If you do not wish to use DHCP at the next screen choose "Go Back", and you have the option to "Configure the network manually".

• Next, the installer asks for the system's hostname and Time Zone.

• You can then choose from several options to configure the hard drive layout. For advanced disk options see Section 4, “Advanced Installation” [p. 10].

• The Ubuntu base system is then installed.

• A new user is setup, this user will have root access through the sudo utility.

• After the user is setup, you will be asked to encrypt your home directory.

• The next step in the installation process is to decide how you want to update the system. There are three options:

• No automatic updates: this requires an administrator to log into the machine and manually install

updates.

• Install security updates Automatically: will install the unattended-upgrades package, which

will install security updates without the intervention of an administrator. For more details see Section 5, “Automatic Updates” [p. 24].

• Manage the system with Landscape: Landscape is a paid service provided by Canonical to help

manage your Ubuntu machines. See the Landscape4 site for details.

• You now have the option to install, or not install, several package tasks. See Section 2.1, “Package Tasks” [p. 7] for details. Also, there is an option to launch aptitude to choose specific packages to install. For more information see Section 4, “Aptitude” [p. 22].

• Finally, the last step before rebooting is to set the clock to UTC.

If at any point during installation you are not satisfied by the default setting, use the "Go Back" function at any prompt to be brought to a detailed installation menu that will allow you to modify the default settings.

Installation

At some point during the installation process you may want to read the help screen provided by the installation system. To do this, press F1.

Once again, for detailed instructions see the Ubuntu Installation Guide5.

2.1. Package Tasks

During the Server Edition installation you have the option of installing additional packages from the CD. The packages are grouped by the type of service they provide.

• Cloud computing: Walrus storage service

• Cloud computing: all-in-one cluster

• Cloud computing: Cluster controller

• Cloud computing: Node controller

• Cloud computing: Storage controller

• Cloud computing: top-level cloud controller

• DNS server: Selects the BIND DNS server and its documentation.

• LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server.

• Mail server: This task selects a variety of package useful for a general purpose mail server system.

• OpenSSH server: Selects packages needed for an OpenSSH server.

• PostgreSQL database: This task selects client and server packages for the PostgreSQL database.

• Print server: This task sets up your system to be a print server.

• Samba File server: This task sets up your system to be a Samba file server, which is especially suitable in networks with both Windows and Linux systems.

• Tomcat server: Installs the Apache Tomcat and needed dependencies Java, gcj, etc.

• Virtual machine host: Includes packages needed to run KVM virtual machines.

• Manually select packages: Executes apptitude allowing you to individually select packages.

Installing the package groups is accomplished using the tasksel utility. One of the important difference between Ubuntu (or Debian) and other GNU/Linux distribution is that, when installed, a package is also configured to reasonable defaults, eventually prompting you for additional required information. Likewise, when installing a task, the packages are not only installed, but also configured to provided a fully integrated service.

For more information on the Cloud Computing tasks see Section 3, “UEC” [p. 269].

Once the installation process has finished you can view a list of available tasks by entering the following from a terminal prompt:

tasksel --list-tasks

https://help.ubuntu.com/10.04 LTS/installation-guide/

Installation

The output will list tasks from other Ubuntu based distributions such as Kubuntu and Edubuntu. Note that you can also invoke the tasksel command by itself, which will bring up a menu of the different tasks available.

You can view a list of which packages are installed with each task using the --task-packages option. For example, to list the packages installed with the DNS Server task enter the following:

tasksel --task-packages dns-server

The output of the command should list:

bind9-doc bind9utils bind9

Also, if you did not install one of the tasks during the installation process, but for example you decide to make your new LAMP server a DNS server as well. Simply insert the installation CD and from a terminal:

sudo tasksel install dns-server

Installation

3. Upgrading

There are several ways to upgrade from one Ubuntu release to another. This section gives an overview of the recommended upgrade method.

3.1. do-release-upgrade

The recommended way to upgrade a Server Edition installation is to use the do-release-upgrade utility. Part of the update-manager-core package, it does not have any graphical dependencies and is installed by default.

Debian based systems can also be upgraded by using apt-get dist-upgrade. However, using dorelease-upgrade is recommended because it has the ability to handle system configuration changes sometimes needed between releases.

To upgrade to a newer release, from a terminal prompt enter:

do-release-upgrade

It is also possible to use do-release-upgrade to upgrade to a development version of Ubuntu. To accomplish this use the -d switch:

do-release-upgrade -d

Upgrading to a development release is not recommended for production environments.

Installation

4. Advanced Installation

4.1. Software RAID

RAID is a method of configuring multiple hard drives to act as one, reducing the probability of catastrophic data loss in case of drive failure. RAID is implemented in either software (where the operating system knows about both drives and actively maintains both of them) or hardware (where a special controller makes the OS think there's only one drive and maintains the drives 'invisibly').

The RAID software included with current versions of Linux (and Ubuntu) is based on the 'mdadm' driver and works very well, better even than many so-called 'hardware' RAID controllers. This section will guide you through installing Ubuntu Server Edition using two RAID1 partitions on two physical hard drives, one for / and another for swap.

4.1.1. Partitioning

Follow the installation steps until you get to the Partition disks step, then:

1. Select Manual as the partition method.

2. Select the first hard drive, and agree to "Create a new empty partition table on this device?".

Repeat this step for each drive you wish to be part of the RAID array.

3. Select the "FREE SPACE" on the first drive then select "Create a new partition".

4. Next, select the Size of the partition. This partition will be the swap partition, and a general

rule for swap size is twice that of RAM. Enter the partition size, then choose Primary, then Beginning.

5. Select the "Use as:" line at the top. By default this is "Ext4 journaling file system", change that to

"physical volume for RAID" then "Done setting up partition".

6. For the / partition once again select "Free Space" on the first drive then "Create a new partition".

7. Use the rest of the free space on the drive and choose Continue, then Primary.

8. As with the swap partition, select the "Use as:" line at the top, changing it to "physical volume

for RAID". Also select the "Bootable flag:" line to change the value to "on". Then choose "Done setting up partition".

9. Repeat steps three through eight for the other disk and partitions.

4.1.2. RAID Configuration

With the partitions setup the arrays are ready to be configured:

1. Back in the main "Partition Disks" page, select "Configure Software RAID" at the top.

2. Select "yes" to write the changes to disk.

3. Choose "Create MD device".

Installation

4. For this example, select "RAID1", but if you are using a different setup choose the appropriate

type (RAID0 RAID1 RAID5).

In order to use RAID5 you need at least three drives. Using RAID0 or RAID1 only two drives are required.

5. Enter the number of active devices "2", or the amount of hard drives you have, for the array.

Then select "Continue".

6. Next, enter the number of spare devices "0" by default, then choose "Continue".

7. Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, etc. The numbers will

usually match and the different letters correspond to different hard drives.

For the swap partition choose sda1 and sdb1. Select "Continue" to go to the next step.

8. Repeat steps three through seven for the / partition choosing sda2 and sdb2.

9. Once done select "Finish".

4.1.3. Formatting

There should now be a list of hard drives and RAID devices. The next step is to format and set the mount point for the RAID devices. Treat the RAID device as a local hard drive, format and mount accordingly.

1. Select "#1" under the "RAID1 device #0" partition.

2. Choose "Use as:". Then select "swap area", then "Done setting up partition".

3. Next, select "#1" under the "RAID1 device #1" partition.

4. Choose "Use as:". Then select "Ext4 journaling file system".

5. Then select the "Mount point" and choose "/ - the root file system". Change any of the other

options as appropriate, then select "Done setting up partition".

6. Finally, select "Finish partitioning and write changes to disk".

If you choose to place the root partition on a RAID array, the installer will then ask if you would like to boot in a degraded state. See Section 4.1.4, “Degraded RAID” [p. 11] for further details.

The installation process will then continue normally.

4.1.4. Degraded RAID

At some point in the life of the computer a disk failure event may occur. When this happens, using Software RAID, the operating system will place the array into what is known as a degraded state.

If the array has become degraded, due to the chance of data corruption, by default Ubuntu Server Edition will boot to initramfs after thirty seconds. Once the initramfs has booted there is a fifteen second prompt giving you the option to go ahead and boot the system, or attempt manual recover. Booting to the initramfs prompt may or may not be the desired behavior, especially if the machine is in a remote location. Booting to a degraded array can be configured several ways:

Installation

• The dpkg-reconfigure utility can be used to configure the default behavior, and during the process you will be queried about additional settings related to the array. Such as monitoring, email alerts, etc. To reconfigure mdadm enter the following:

sudo dpkg-reconfigure mdadm

• The dpkg-reconfigure mdadm process will change the /etc/initramfs-tools/conf.d/mdadm configuration file. The file has the advantage of being able to pre-configure the system's behavior, and can also be manually edited:

BOOT_DEGRADED=true

The configuration file can be overridden by using a Kernel argument.

• Using a Kernel argument will allow the system to boot to a degraded array as well:

• When the server is booting press Shift to open the Grub menu.

• Press e to edit your kernel command options.

• Press the down arrow to highlight the kernel line.

• Add "bootdegraded=true" (without the quotes) to the end of the line.

• Press Ctrl+x to boot the system.

Once the system has booted you can either repair the array see Section 4.1.5, “RAID Maintenance” [p. 12] for details, or copy important data to another machine due to major hardware failure.

4.1.5. RAID Maintenance

The mdadm utility can be used to view the status of an array, add disks to an array, remove disks, etc:

• To view the status of an array, from a terminal prompt enter:

sudo mdadm -D /dev/md0

The -D tells mdadm to display detailed information about the /dev/md0 device. Replace /dev/md0 with the appropriate RAID device.

• To view the status of a disk in an array:

sudo mdadm -E /dev/sda1

The output if very similar to the mdadm -D command, adjust /dev/sda1 for each disk.

• If a disk fails and needs to be removed from an array enter:

sudo mdadm --remove /dev/md0 /dev/sda1

Installation

Change /dev/md0 and /dev/sda1 to the appropriate RAID device and disk.

• Similarly, to add a new disk:

sudo mdadm --add /dev/md0 /dev/sda1

Sometimes a disk can change to a faulty state even though there is nothing physically wrong with the drive. It is usually worthwhile to remove the drive from the array then re-add it. This will cause the drive to re-sync with the array. If the drive will not sync with the array, it is a good indication of hardware failure.

The /proc/mdstat file also contains useful information about the system's RAID devices:

cat /proc/mdstat

Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10] md0 : active raid1 sda1[0] sdb1[1] 10016384 blocks [2/2] [UU]

unused devices: <none>

The following command is great for watching the status of a syncing drive:

watch -n1 cat /proc/mdstat

Press Ctrl+c to stop the watch command.

If you do need to replace a faulty drive, after the drive has been replaced and synced, grub will need to be installed. To install grub on the new drive, enter the following:

sudo grub-install /dev/md0

Replace /dev/md0 with the appropriate array device name.

4.1.6. Resources

The topic of RAID arrays is a complex one due to the plethora of ways RAID can be configured. Please see the following links for more information:

• Ubuntu Wiki Articles on RAID6.

• Software RAID HOWTO

• Managing RAID on Linux

4.2. Logical Volume Manager (LVM)

Logical Volume Manger, or LVM, allows administrators to create logical volumes out of one or multiple physical hard disks. LVM volumes can be created on both software RAID partitions and

Installation

standard partitions residing on a single disk. Volumes can also be extended, giving greater flexibility to systems as requirements change.

4.2.1. Overview

A side effect of LVM's power and flexibility is a greater degree of complication. Before diving into the LVM installation process, it is best to get familiar with some terms.

• Volume Group (VG): contains one or several Logical Volumes (LV).

• Logical Volume (LV): is similar to a partition in a non-LVM system. Multiple Physical Volumes (PV) can make up one LV, on top of which resides the actual EXT3, XFS, JFS, etc filesystem.

• Physical Volume (PV): physical hard disk or software RAID partition. The Volume Group can be extended by adding more PVs.

4.2.2. Installation

As an example this section covers installing Ubuntu Server Edition with /srv mounted on a LVM volume. During the initial install only one Physical Volume (PV) will be part of the Volume Group (VG). Another PV will be added after install to demonstrate how a VG can be extended.

There are several installation options for LVM, "Guided - use the entire disk and setup LVM" which will also allow you to assign a portion of the available space to LVM, "Guided - use entire and setup encrypted LVM", or Manually setup the partitions and configure LVM. At this time the only way to configure a system with both LVM and standard partitions, during installation, is to use the Manual approach.

1. Follow the installation steps until you get to the Partition disks step, then:

2. At the "Partition Disks screen choose "Manual".

3. Select the hard disk and on the next screen choose "yes" to "Create a new empty partition table

on this device".

4. Next, create standard /boot, swap, and / partitions with whichever filesystem you prefer.

5. For the LVM /srv, create a new Logical partition. Then change "Use as" to "physical volume for

LVM" then "Done setting up the partition".

6. Now select "Configure the Logical Volume Manager" at the top, and choose "Yes" to write the

changes to disk.

7. For the "LVM configuration action" on the next screen, choose "Create volume group". Enter a

name for the VG such as vg01, or something more descriptive. After entering a name, select the partition configured for LVM, and choose "Continue".

8. Back at the "LVM configuration action" screen, select "Create logical volume". Select the

newly created volume group, and enter a name for the new LV, for example srv since that is the intended mount point. Then choose a size, which may be the full partition because it can always be extended later. Choose "Finish" and you should be back at the main "Partition Disks" screen.

Installation

9. Now add a filesystem to the new LVM. Select the partition under "LVM VG vg01, LV srv", or

whatever name you have chosen, the choose Use as. Setup a file system as normal selecting /srv as the mount point. Once done, select "Done setting up the partition".

10. Finally, select "Finish partitioning and write changes to disk". Then confirm the changes and

continue with the rest of the installation.

There are some useful utilities to view information about LVM:

• vgdisplay: shows information about Volume Groups.

• lvdisplay: has information about Logical Volumes.

• pvdisplay: similarly displays information about Physical Volumes.

4.2.3. Extending Volume Groups

Continuing with srv as an LVM volume example, this section covers adding a second hard disk, creating a Physical Volume (PV), adding it to the volume group (VG), extending the logical volume

srv and finally extending the filesystem. This example assumes a second hard disk has been added to

the system. This hard disk will be named /dev/sdb in our example. BEWARE: make sure you don't already have an existing /dev/sdb before issuing the commands below. You could lose some data if you issue those commands on a non-empty disk. In our example we will use the entire disk as a physical volume (you could choose to create partitions and use them as different physical volumes)

1. First, create the physical volume, in a terminal execute:

sudo pvcreate /dev/sdb

2. Now extend the Volume Group (VG):

sudo vgextend vg01 /dev/sdb

3. Use vgdisplay to find out the free physical extents - Free PE / size (the size you can allocate). We

will assume a free size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the whole free space available. Use your own PE and/or free space.

The Logical Volume (LV) can now be extended by different methods, we will only see how to use the PE to extend the LV:

sudo lvextend /dev/vg01/srv -l +511

The -l option allows the LV to be extended using PE. The -L option allows the LV to be extended using Meg, Gig, Tera, etc bytes.

4. Even though you are supposed to be able to expand an ext3 or ext4 filesystem without

unmounting it first, it may be a good pratice to unmount it anyway and check the filesystem, so that you don't mess up the day you want to reduce a logical volume (in that case unmounting first is compulsory).

Installation

The following commands are for an EXT3 or EXT4 filesystem. If you are using another filesystem there may be other utilities available.

sudo umount /srv sudo e2fsck -f /dev/vg01/srv

The -f option of e2fsck forces checking even if the system seems clean.

5. Finally, resize the filesystem:

sudo resize2fs /dev/vg01/srv

6. Now mount the partition and check its size.

mount /dev/vg01/srv /srv && df -h /srv

4.2.4. Resources

• See the Ubuntu Wiki LVM Articles9.

• See the LVM HOWTO10 for more information.

• Another good article is Managing Disk Space with LVM11 on O'Reilly's linuxdevcenter.com site.

• For more information on fdisk see the fdisk man page12.

Chapter 3. Package Management

Ubuntu features a comprehensive package management system for the installation, upgrade, configuration, and removal of software. In addition to providing access to an organized base of over 24,000 software packages for your Ubuntu computer, the package management facilities also feature dependency resolution capabilities and software update checking.

Several tools are available for interacting with Ubuntu's package management system, from simple command-line utilities which may be easily automated by system administrators, to a simple graphical interface which is easy to use by those new to Ubuntu.

Package Management

1. Introduction

Ubuntu's package management system is derived from the same system used by the Debian GNU/ Linux distribution. The package files contain all of the necessary files, meta-data, and instructions to implement a particular functionality or software application on your Ubuntu computer.

Debian package files typically have the extension '.deb', and typically exist in repositories which are collections of packages found on various media, such as CD-ROM discs, or online. Packages are normally of the pre-compiled binary format; thus installation is quick and requires no compiling of software.

Many complex packages use the concept of dependencies. Dependencies are additional packages required by the principal package in order to function properly. For example, the speech synthesis package Festival depends upon the package libasound2, which is a package supplying the ALSA sound library needed for audio playback. In order for Festival to function, it and all of its dependencies must be installed. The software management tools in Ubuntu will do this automatically.

Package Management

2. dpkg

dpkg is a package manager for Debian based systems. It can install, remove, and build packages, but unlike other package management system's it can not automatically download and install packages and their dependencies. This section covers using dpkg to manage locally installed packages:

• To list all packages installed on the system, from a terminal prompt enter:

dpkg -l

• Depending on the amount of packages on your system, this can generate a large amount of output. Pipe the output through grep to see if a specific package is installed:

dpkg -l | grep apache2

Replace apache2 with any package name, part of a package name, or other regular expression.

• To list the files installed by a package, in this case the ufw package, enter:

dpkg -L ufw

• If you are not sure which package installed a file, dpkg -S may be able to tell you. For example:

dpkg -S /etc/host.conf

base-files: /etc/host.conf

The output shows that the /etc/host.conf belongs to the base-files package.

Many files are automatically generated during the package install process, and even though they are on the filesystem dpkg -S may not know which package they belong to.

• You can install a local .deb file by entering:

sudo dpkg -i zip_2.32-1_i386.deb

Change zip_2.32-1_i386.deb to the actual file name of the local .deb file.

• Uninstalling a package can be accomplished by:

sudo dpkg -r zip

Uninstalling packages using dpkg, in most cases, is NOT recommended. It is better to use a package manager that handles dependencies, to ensure that the system is in a consistent state. For example using dpkg -r you can remove the zip package, but any packages that depend on it will still be installed and may no longer function correctly.

For more dpkg options see the man page: man dpkg.

Package Management

3. Apt-Get

The apt-get command is a powerful command-line tool used to work with Ubuntu's Advanced Packaging Tool (APT) performing such functions as installation of new software packages, upgrade

of existing software packages, updating of the package list index, and even upgrading the entire Ubuntu system.

Being a simple command-line tool, apt-get has numerous advantages over other package management tools available in Ubuntu for server administrators. Some of these advantages include ease of use over simple terminal connections (SSH) and the ability to be used in system administration scripts, which can in turn be automated by the cron scheduling utility.

Some examples of popular uses for the apt-get utility:

• Install a Package: Installation of packages using the apt-get tool is quite simple. For example, to install the network scanner nmap, type the following:

sudo apt-get install nmap

• Remove a Package: Removal of a package or packages is also a straightforward and simple process. To remove the nmap package installed in the previous example, type the following:

sudo apt-get remove nmap

Multiple Packages: You may specify multiple packages to be installed or removed, separated by spaces.

Also, adding the --purge options to apt-get remove will remove the package configuration files as well. This may or may not be the desired effect so use with caution.

• Update the Package Index: The APT package index is essentially a database of available packages from the repositories defined in the /etc/apt/sources.list file. To update the local package index with the latest changes made in repositories, type the following:

sudo apt-get update

• Upgrade Packages: Over time, updated versions of packages currently installed on your computer may become available from the package repositories (for example security updates). To upgrade your system, first update your package index as outlined above, and then type:

sudo apt-get upgrade

For information on upgrading to a new Ubuntu release see Section 3, “Upgrading” [p. 9].

Actions of the apt-get command, such as installation and removal of packages, are logged in the /var/ log/dpkg.log log file.

Package Management

For further information about the use of APT, read the comprehensive Debian APT User Manual1 or type:

apt-get help

http://www.debian.org/doc/user-manuals#apt-howto

Package Management

4. Aptitude

Aptitude is a menu-driven, text-based front-end to the Advanced Packaging Tool (APT) system. Many of the common package management functions, such as installation, removal, and upgrade, are performed in Aptitude with single-key commands, which are typically lowercase letters.

Aptitude is best suited for use in a non-graphical terminal environment to ensure proper functioning of the command keys. You may start Aptitude as a normal user with the following command at a terminal prompt:

sudo aptitude

When Aptitude starts, you will see a menu bar at the top of the screen and two panes below the menu bar. The top pane contains package categories, such as New Packages and Not Installed Packages. The bottom pane contains information related to the packages and package categories.

Using Aptitude for package management is relatively straightforward, and the user interface makes common tasks simple to perform. The following are examples of common package management functions as performed in Aptitude:

• Install Packages: To install a package, locate the package via the Not Installed Packages package category, for example, by using the keyboard arrow keys and the ENTER key, and highlight the package you wish to install. After highlighting the package you wish to install, press the + key, and the package entry should turn green, indicating it has been marked for installation. Now press g to be presented with a summary of package actions. Press g again, and you will be prompted to become root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Finally, press g once more and you'll be prompted to download the package. Press ENTER on the Continue prompt, and downloading and installation of the package will commence.

• Remove Packages: To remove a package, locate the package via the Installed Packages package category, for example, by using the keyboard arrow keys and the ENTER key, and highlight the package you wish to remove. After highlighting the package you wish to install, press the - key, and the package entry should turn pink, indicating it has been marked for removal. Now press g to be presented with a summary of package actions. Press g again, and you will be prompted to become root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Finally, press g once more, and you'll be prompted to download the package. Press ENTER on the Continue prompt, and removal of the package will commence.

• Update Package Index: To update the package index, simply press the u key and you will be prompted to become root to complete the update. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Updating of the package index will commence. Press ENTER on the OK prompt when the download dialog is presented to complete the process.

• Upgrade Packages: To upgrade packages, perform the update of the package index as detailed above, and then press the U key to mark all packages with updates. Now press g whereby you'll be

Package Management

presented with a summary of package actions. Press g again, and you will be prompted to become root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your user password to become root. Finally, press g once more, and you'll be prompted to download the packages. Press ENTER on the Continue prompt, and upgrade of the packages will commence.

The first column of information displayed in the package list in the top pane, when actually viewing packages lists the current state of the package, and uses the following key to describe the state of the package:

• i: Installed package

• c: Package not installed, but package configuration remains on system

• p: Purged from system

• v: Virtual package

• B: Broken package

• u: Unpacked files, but package not yet configured

• C: Half-configured - Configuration failed and requires fix

• H: Half-installed - Removal failed and requires fix

To exit Aptitude, simply press the q key and confirm you wish to exit. Many other functions are available from the Aptitude menu by pressing the F10 key.

Package Management

5. Automatic Updates

The unattended-upgrades package can be used to automatically install updated packages, and can be configured to update all packages or just install security updates. First, install the package by entering the following in a terminal:

sudo apt-get install unattended-upgrades

To configure unattended-upgrades, edit /etc/apt/apt.conf.d/50unattended-upgrades and adjust the following to fit your needs:

Unattended-Upgrade::Allowed-Origins { "Ubuntu lucid-security"; // "Ubuntu lucid-updates"; };

Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist a package, add it to the list:

Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; };

The double “//” serve as comments, so whatever follows "//" will not be evaluated.

To enable automatic updates, edit /etc/apt/apt.conf.d/10periodic and set the appropriate apt configuration options:

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";

The above configuration updates the package list, downloads, and installs available upgrades every day. The local download archive is cleaned every week.

You can read more about apt Periodic configuration options in the /etc/cron.daily/apt script header.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades.

Package Management

5.1. Notifications

Configuring Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades will enable unattended-upgrades to email an administrator detailing any packages that need upgrading or have problems.

Another useful package is apticron. apticron will configure a cron job to email an administrator information about any packages on the system that have updates available, as well as a summary of changes in each package.

To install the apticron package, in a terminal enter:

sudo apt-get install apticron

Once the package is installed edit /etc/apticron/apticron.conf, to set the email address and other options:

EMAIL="root@example.com"

Package Management

6. Configuration

Configuration of the Advanced Packaging Tool (APT) system repositories is stored in the /etc/apt/ sources.list configuration file. An example of this file is referenced here, along with information on adding or removing repository references from the file.

Here2 is a simple example of a typical /etc/apt/sources.list file.

You may edit the file to enable repositories or disable them. For example, to disable the requirement of inserting the Ubuntu CD-ROM whenever package operations occur, simply comment out the appropriate line for the CD-ROM, which appears at the top of the file:

# no more prompting for CD-ROM please # deb cdrom:[Ubuntu 10.04_Lucid_Lynx - Release i386 (20070419.1)]/ lucid main restricted

6.1. Extra Repositories

In addition to the officially supported package repositories available for Ubuntu, there exist additional community-maintained repositories which add thousands more potential packages for installation. Two of the most popular are the Universe and Multiverse repositories. These repositories are not officially supported by Ubuntu, but because they are maintained by the community they generally provide packages which are safe for use with your Ubuntu computer.

Packages in the Multiverse repository often have licensing issues that prevent them from being distributed with a free operating system, and they may be illegal in your locality.

Be advised that neither the Universe or Multiverse repositories contain officially supported packages. In particular, there may not be security updates for these packages.

Many other package sources are available, sometimes even offering only one package, as in the case of package sources provided by the developer of a single application. You should always be very careful and cautious when using non-standard package sources, however. Research the source and packages carefully before performing any installation, as some package sources and their packages could render your system unstable or non-functional in some respects.

By default, the Universe and Multiverse repositories are enabled but if you would like to disable them edit /etc/apt/sources.list and comment the following lines:

deb http://archive.ubuntu.com/ubuntu lucid universe multiverse deb-src http://archive.ubuntu.com/ubuntu lucid universe multiverse

deb http://us.archive.ubuntu.com/ubuntu/ lucid universe deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe

../sample/sources.list

Package Management

deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe

deb http://us.archive.ubuntu.com/ubuntu/ lucid multiverse deb-src http://us.archive.ubuntu.com/ubuntu/ lucid multiverse deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates multiverse

deb http://security.ubuntu.com/ubuntu lucid-security universe deb-src http://security.ubuntu.com/ubuntu lucid-security universe deb http://security.ubuntu.com/ubuntu lucid-security multiverse deb-src http://security.ubuntu.com/ubuntu lucid-security multiverse

Package Management

7. References

Most of the material covered in this chapter is available in man pages, many of which are available online.

• The InstallingSoftware3 Ubuntu wiki page has more information.

• For more dpkg details see the dpkg man page4.

• The APT HOWTO5 and apt-get man page6 contain useful information regarding apt-get usage.

• See the aptitude man page7 for more aptitude options.

• The Adding Repositories HOWTO (Ubuntu Wiki)8 page contains more details on adding repositories.

Chapter 4. Networking

Networks consist of two or more devices, such as computer systems, printers, and related equipment which are connected by either physical cabling or wireless links for the purpose of sharing and distributing information among the connected devices.

This section provides general and specific information pertaining to networking, including an overview of network concepts and detailed discussion of popular network protocols.

Networking

1. Network Configuration

Ubuntu ships with a number of graphical utilities to configure your network devices. This document is geared toward server administrators and will focus on managing your network on the command line.

1.1. Ethernet Interfaces

Ethernet interfaces are identified by the system using the naming convention of ethX, where X represents a numeric value. The first Ethernet interface is typically identified as eth0, the second as eth1, and all others should move up in numerical order.

1.1.1. Identify Ethernet Interfaces

To quickly identify all available Ethernet interfaces, you can use the ifconfig command as shown below.

ifconfig -a | grep eth

eth0 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a

Another application that can help identify all network interfaces available to your system is the lshw command. In the example below, lshw shows a single Ethernet interface with the logical name of eth0 along with bus information, driver details and all supported capabilities.

sudo lshw -class network

*-network description: Ethernet interface product: BCM4401-B0 100Base-TX vendor: Broadcom Corporation physical id: 0 bus info: pci@0000:03:00.0 logical name: eth0 version: 02 serial: 00:15:c5:4a:16:5a size: 10MB/s capacity: 100MB/s width: 32 bits clock: 33MHz capabilities: (snipped for brevity) configuration: (snipped for brevity) resources: irq:17 memory:ef9fe000-ef9fffff

1.1.2. Ethernet Interface Logical Names

Interface logical names are configured in the file /etc/udev/rules.d/70-persistent-net.rules. If you would like control which interface receives a particular logical name, find the line matching the interfaces physical MAC address and modify the value of NAME=ethX to the desired logical name. Reboot the system to commit your changes.

Networking

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:15:c5:4a:16:5a", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0" SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:15:c5:4a:16:5b", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

1.1.3. Ethernet Interface Settings

ethtool is a program that displays and changes Ethernet card settings such as auto-negotiation, port speed, duplex mode, and Wake-on-LAN. It is not installed by default, but is available for installation in the repositories.

sudo apt-get install ethtool

The following is an example of how to view supported features and configured settings of an Ethernet interface.

sudo ethtool eth0

Settings for eth0: Supported ports: [ TP ] Supported link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Supports auto-negotiation: Yes Advertised link modes: 10baseT/Half 10baseT/Full 100baseT/Half 100baseT/Full 1000baseT/Half 1000baseT/Full Advertised auto-negotiation: Yes Speed: 1000Mb/s Duplex: Full Port: Twisted Pair PHYAD: 1 Transceiver: internal Auto-negotiation: on Supports Wake-on: g Wake-on: d Current message level: 0x000000ff (255) Link detected: yes

Changes made with the ethtool command are temporary and will be lost after a reboot. If you would like to retain settings, simply add the desired ethtool command to a pre-up statement in the interface configuration file /etc/network/interfaces.

The following is an example of how the interface identified as eth0 could be permanently configured with a port speed of 1000Mb/s running in full duplex mode.

auto eth0 iface eth0 inet static pre-up /usr/sbin/ethtool -s eth0 speed 1000 duplex full

Although the example above shows the interface configured to use the static method, it actually works with other methods as well, such as DHCP. The example is meant to

Networking

demonstrate only proper placement of the pre-up statement in relation to the rest of the interface configuration.

1.2. IP Addressing

The following section describes the process of configuring your systems IP address and default gateway needed for communicating on a local area network and the Internet.

1.2.1. Temporary IP Address Assignment

For temporary network configurations, you can use standard commands such as ip, ifconfig and route, which are also found on most other GNU/Linux operating systems. These commands allow you to configure settings which take effect immediately, however they are not persistent and will be lost after a reboot.

To temporarily configure an IP address, you can use the ifconfig command in the following manner. Just modify the IP address and subnet mask to match your network requirements.

sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0

To verify the IP address configuration of eth0, you can use the ifconfig command in the following manner.

ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:15:c5:4a:16:5a inet addr:10.0.0.100 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0 TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2574778386 (2.5 GB) TX bytes:1618367329 (1.6 GB) Interrupt:16

To configure a default gateway, you can use the route command in the following manner. Modify the default gateway address to match your network requirements.

sudo route add default gw 10.0.0.1 eth0

To verify your default gateway configuration, you can use the route command in the following manner.

route -n

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface

10.0.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0

0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0 eth0

Networking

If you require DNS for your temporary network configuration, you can add DNS server IP addresses in the file /etc/resolv.conf. The example below shows how to enter two DNS servers to /etc/

resolv.conf, which should be changed to servers appropriate for your network. A more lengthy

description of DNS client configuration is in a following section.

nameserver 8.8.8.8 nameserver 8.8.4.4

If you no longer need this configuration and wish to purge all IP configuration from an interface, you can use the ip command with the flush option as shown below.

ip addr flush eth0

Flushing the IP configuration using the ip command does not clear the contents of /etc/

resolv.conf. You must remove or modify those entries manually.

1.2.2. Dynamic IP Address Assignment (DHCP Client)

To configure your server to use DHCP for dynamic address assignment, add the dhcp method to the inet address family statement for the appropriate interface in the file /etc/network/interfaces. The example below assumes you are configuring your first Ethernet interface identified as eth0.

auto eth0 iface eth0 inet dhcp

By adding an interface configuration as shown above, you can manually enable the interface through the ifup command which initiates the DHCP process via dhclient.

sudo ifup eth0

To manually disable the interface, you can use the ifdown command, which in turn will initiate the DHCP release process and shut down the interface.

sudo ifdown eth0

1.2.3. Static IP Address Assignment

To configure your system to use a static IP address assignment, add the static method to the inet address family statement for the appropriate interface in the file /etc/network/interfaces. The example below assumes you are configuring your first Ethernet interface identified as eth0. Change the address, netmask, and gateway values to meet the requirements of your network.

auto eth0 iface eth0 inet static address 10.0.0.100 netmask 255.255.255.0

Networking

gateway 10.0.0.1

By adding an interface configuration as shown above, you can manually enable the interface through the ifup command.

sudo ifup eth0

To manually disable the interface, you can use the ifdown command.

sudo ifdown eth0

1.2.4. Loopback Interface

The loopback interface is identified by the system as lo and has a default IP address of 127.0.0.1. It can be viewed using the ifconfig command.

ifconfig lo

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2718 errors:0 dropped:0 overruns:0 frame:0 TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)

By default, there should be two lines in /etc/network/interfaces responsible for automatically configuring your loopback interface. It is recommended that you keep the default settings unless you have a specific purpose for changing them. An example of the two default lines are shown below.

auto lo iface lo inet loopback

1.3. Name Resolution

Name resolution as it relates to IP networking is the process of mapping IP addresses to hostnames, making it easier to identify resources on a network. The following section will explain how to properly configure your system for name resolution using DNS and static hostname records.

1.3.1. DNS Client Configuration

To configure your system to use DNS for name resolution, add the IP addresses of the DNS servers that are appropriate for your network in the file /etc/resolv.conf. You can also add an optional DNS suffix search-lists to match your network domain names.

Below is an example of a typical configuration of /etc/resolv.conf for a server on the domain "example.com" and using two public DNS servers.

Networking

search example.com nameserver 8.8.8.8 nameserver 8.8.4.4

The search option can also be used with multiple domain names so that DNS queries will be appended in the order in which they are entered. For example, your network may have multiple subdomains to search; a parent domain of example.com, and two sub-domains, sales.example.com and dev.example.com.

If you have multiple domains you wish to search, your configuration might look like the following.

search example.com sales.example.com dev.example.com nameserver 8.8.8.8 nameserver 8.8.4.4

If you try to ping a host with the name of server1, your system will automatically query DNS for its Fully Qualified Domain Name (FQDN) in the following order:

1. server1.example.com

2. server1.sales.example.com

3. server1.dev.example.com

If no matches are found, the DNS server will provide a result of notfound and the DNS query will fail.

1.3.2. Static Hostnames

Static hostnames are locally defined hostname-to-IP mappings located in the file /etc/hosts. Entries in the hosts file will have precedence over DNS by default. This means that if your system tries to resolve a hostname and it matches an entry in /etc/hosts, it will not attempt to look up the record in DNS. In some configurations, especially when Internet access is not required, servers that communicate with a limited number of resources can be conveniently set to use static hostnames instead of DNS.

The following is an example of a hosts file where a number of local servers have been identified by simple hostnames, aliases and their equivalent Fully Qualified Domain Names (FQDN's).

127.0.0.1 localhost

127.0.1.1 ubuntu-server

10.0.0.11 server1 vpn server1.example.com

10.0.0.12 server2 mail server2.example.com

10.0.0.13 server3 www server3.example.com

10.0.0.14 server4 file server4.example.com

In the above example, notice that each of the servers have been given aliases in addition to their proper names and FQDN's. Server1 has been mapped to the name vpn, server2 is referred to as mail, server3 as www, and server4 as file.

Networking

1.3.3. Name Service Switch Configuration

The order in which your system selects a method of resolving hostnames to IP addresses is controlled by the Name Service Switch (NSS) configuration file /etc/nsswitch.conf. As mentioned in the previous section, typically static hostnames defined in the systems /etc/hosts file have precedence over names resolved from DNS. The following is an example of the line responsible for this order of hostname lookups in the file /etc/nsswitch.conf.

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

• files first tries to resolve static hostnames located in /etc/hosts.

• mdns4_minimal attempts to resolve the name using Multicast DNS.

• [NOTFOUND=return] means that any response of notfound by the preceeding mdns4_minimal process should be treated as authoritative and that the system should not try to continue hunting for an answer.

• dns represents a legacy unicast DNS query.

• mdns4 represents a Multicast DNS query.

To modify the order of the above mentioned name resolution methods, you can simply change the hosts: string to the value of your choosing. For example, if you prefer to use legacy Unicast DNS versus Multicast DNS, you can change the string in /etc/nsswitch.conf as shown below.

hosts: files dns [NOTFOUND=return] mdns4_minimal mdns4

1.4. Bridging

Bridging multiple interfaces is a more advanced configuration, but is very useful in multiple scenarios. One scenario is setting up a bridge with multiple network interfaces, then using a firewall to filter traffic between two network segments. Another scenario is using bridge on a system with one interface to allow virtual machines direct access to the outside network. The following example covers the latter scenario.

Before configuring a bridge you will need to install the bridge-utils package. To install the package, in a terminal enter:

sudo apt-get install bridge-utils

Next, configure the bridge by editing /etc/network/interfaces:

auto lo iface lo inet loopback

auto br0 iface br0 inet static

Networking

address 192.168.0.10 network 192.168.0.0 netmask 255.255.255.0 broadcast 192.168.0.255 gateway 192.168.0.1 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off

Enter the appropriate values for your physical interface and network.

Now restart networking to enable the bridge interface:

sudo /etc/init.d/networking restart

The new bridge interface should now be up and running. The brctl provides useful information about the state of the bridge, controls which interfaces are part of the bridge, etc. See man brctl for more information.

1.5. Resources

• The Ubuntu Wiki Network page1 has links to articles covering more advanced network configuration.

• The interfaces man page2 has details on more options for /etc/network/interfaces.

• The dhclient man page3 has details on more options for configuring DHCP client settings.

• For more information on DNS client configuration see the resolver man page4. Also, Chapter 6 of O'Reilly's Linux Network Administrator's Guide5 is a good source of resolver and name service configuration information.

• For more information on bridging see the brctl man page6 and the Linux Foundation's Net:Bridge page.

Networking

2. TCP/IP

The Transmission Control Protocol and Internet Protocol (TCP/IP) is a standard set of protocols developed in the late 1970s by the Defense Advanced Research Projects Agency (DARPA) as a means of communication between different types of computers and computer networks. TCP/IP is the driving force of the Internet, and thus it is the most popular set of network protocols on Earth.

2.1. TCP/IP Introduction

The two protocol components of TCP/IP deal with different aspects of computer networking. Internet Protocol, the "IP" of TCP/IP is a connectionless protocol which deals only with network packet routing using the IP Datagram as the basic unit of networking information. The IP Datagram consists of a header followed by a message. The Transmission Control Protocol is the "TCP" of TCP/IP and enables network hosts to establish connections which may be used to exchange data streams. TCP also guarantees that the data between connections is delivered and that it arrives at one network host in the same order as sent from another network host.

2.2. TCP/IP Configuration

The TCP/IP protocol configuration consists of several elements which must be set by editing the appropriate configuration files, or deploying solutions such as the Dynamic Host Configuration Protocol (DHCP) server which in turn, can be configured to provide the proper TCP/IP configuration settings to network clients automatically. These configuration values must be set correctly in order to facilitate the proper network operation of your Ubuntu system.

The common configuration elements of TCP/IP and their purposes are as follows:

• IP address The IP address is a unique identifying string expressed as four decimal numbers ranging from zero (0) to two-hundred and fifty-five (255), separated by periods, with each of the four numbers representing eight (8) bits of the address for a total length of thirty-two (32) bits for the whole address. This format is called dotted quad notation.

• Netmask The Subnet Mask (or simply, netmask) is a local bit mask, or set of flags which separate the portions of an IP address significant to the network from the bits significant to the subnetwork. For example, in a Class C network, the standard netmask is 255.255.255.0 which masks the first three bytes of the IP address and allows the last byte of the IP address to remain available for specifying hosts on the subnetwork.

• Network Address The Network Address represents the bytes comprising the network portion of an IP address. For example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as the network address, where twelve (12) represents the first byte of the IP address, (the network part) and zeroes (0) in all of the remaining three bytes to represent the potential host values. A network host using the private IP address 192.168.1.100 would in turn use a Network Address of

192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 network and a zero (0) for all the possible hosts on the network.

Networking

• Broadcast Address The Broadcast Address is an IP address which allows network data to be sent simultaneously to all hosts on a given subnetwork rather than specifying a particular host. The standard general broadcast address for IP networks is 255.255.255.255, but this broadcast address cannot be used to send a broadcast message to every host on the Internet because routers block it. A more appropriate broadcast address is set to match a specific subnetwork. For example, on the private Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. Broadcast messages are typically produced by network protocols such as the Address Resolution Protocol (ARP) and the Routing Information Protocol (RIP).

• Gateway Address A Gateway Address is the IP address through which a particular network, or host on a network, may be reached. If one network host wishes to communicate with another network host, and that host is not located on the same network, then a gateway must be used. In many cases, the Gateway Address will be that of a router on the same network, which will in turn pass traffic on to other networks or hosts, such as Internet hosts. The value of the Gateway Address setting must be correct, or your system will not be able to reach any hosts beyond those on the same network.

• Nameserver Address Nameserver Addresses represent the IP addresses of Domain Name Service (DNS) systems, which resolve network hostnames into IP addresses. There are three levels of Nameserver Addresses, which may be specified in order of precedence: The Primary Nameserver, the Secondary Nameserver, and the Tertiary Nameserver. In order for your system to be able to resolve network hostnames into their corresponding IP addresses, you must specify valid Nameserver Addresses which you are authorized to use in your system's TCP/IP configuration. In many cases these addresses can and will be provided by your network service provider, but many free and publicly accessible nameservers are available for use, such as the Level3 (Verizon) servers with IP addresses from 4.2.2.1 to 4.2.2.6.

The IP address, Netmask, Network Address, Broadcast Address, and Gateway Address are typically specified via the appropriate directives in the file /etc/network/

interfaces. The Nameserver Addresses are typically specified via nameserver directives

in the file /etc/resolv.conf. For more information, view the system manual page for interfaces or resolv.conf respectively, with the following commands typed at a terminal prompt:

Access the system manual page for interfaces with the following command:

man interfaces

Access the system manual page for resolv.conf with the following command:

man resolv.conf

Networking

2.3. IP Routing

IP routing is a means of specifying and discovering paths in a TCP/IP network along which network data may be sent. Routing uses a set of routing tables to direct the forwarding of network data packets from their source to the destination, often via many intermediary network nodes known as routers. There are two primary forms of IP routing: Static Routing and Dynamic Routing.

Static routing involves manually adding IP routes to the system's routing table, and this is usually done by manipulating the routing table with the route command. Static routing enjoys many advantages over dynamic routing, such as simplicity of implementation on smaller networks, predictability (the routing table is always computed in advance, and thus the route is precisely the same each time it is used), and low overhead on other routers and network links due to the lack of a dynamic routing protocol. However, static routing does present some disadvantages as well. For example, static routing is limited to small networks and does not scale well. Static routing also fails completely to adapt to network outages and failures along the route due to the fixed nature of the route.

Dynamic routing depends on large networks with multiple possible IP routes from a source to a destination and makes use of special routing protocols, such as the Router Information Protocol (RIP), which handle the automatic adjustments in routing tables that make dynamic routing possible. Dynamic routing has several advantages over static routing, such as superior scalability and the ability to adapt to failures and outages along network routes. Additionally, there is less manual configuration of the routing tables, since routers learn from one another about their existence and available routes. This trait also eliminates the possibility of introducing mistakes in the routing tables via human error. Dynamic routing is not perfect, however, and presents disadvantages such as heightened complexity and additional network overhead from router communications, which does not immediately benefit the end users, but still consumes network bandwidth.

2.4. TCP and UDP

TCP is a connection-based protocol, offering error correction and guaranteed delivery of data via what is known as flow control. Flow control determines when the flow of a data stream needs to be stopped, and previously sent data packets should to be re-sent due to problems such as collisions, for example, thus ensuring complete and accurate delivery of the data. TCP is typically used in the exchange of important information such as database transactions.

The User Datagram Protocol (UDP), on the other hand, is a connectionless protocol which seldom deals with the transmission of important data because it lacks flow control or any other method to ensure reliable delivery of the data. UDP is commonly used in such applications as audio and video streaming, where it is considerably faster than TCP due to the lack of error correction and flow control, and where the loss of a few packets is not generally catastrophic.

Networking

2.5. ICMP

The Internet Control Messaging Protocol (ICMP) is an extension to the Internet Protocol (IP) as defined in the Request For Comments (RFC) #792 and supports network packets containing control, error, and informational messages. ICMP is used by such network applications as the ping utility, which can determine the availability of a network host or device. Examples of some error messages returned by ICMP which are useful to both network hosts and devices such as routers, include Destination Unreachable and Time Exceeded.

2.6. Daemons

Daemons are special system applications which typically execute continuously in the background and await requests for the functions they provide from other applications. Many daemons are networkcentric; that is, a large number of daemons executing in the background on an Ubuntu system may provide network-related functionality. Some examples of such network daemons include the Hyper

Text Transport Protocol Daemon (httpd), which provides web server functionality; the Secure SHell Daemon (sshd), which provides secure remote login shell and file transfer capabilities; and the Internet Message Access Protocol Daemon (imapd), which provides E-Mail services.

2.7. Resources

• There are man pages for TCP8 and IP9 that contain more useful information.

• Also, see the TCP/IP Tutorial and Technical Overview10 IBM Redbook.

• Another resource is O'Reilly's TCP/IP Network Administration11.

Networking

3. Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host. Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user.

The most common settings provided by a DHCP server to DHCP clients include:

• IP-Address and Netmask

• DNS

• WINS

However, a DHCP server can also supply configuration properties such as:

• Host Name

• Domain Name

• Default Gateway

• Time Server

• Print Server

The advantage of using DHCP is that changes to the network, for example a change in the address of the DNS server, need only be changed at the DHCP server, and all network hosts will be reconfigured the next time their DHCP clients poll the DHCP server. As an added advantage, it is also easier to integrate new computers into the network, as there is no need to check for the availability of an IP address. Conflicts in IP address allocation are also reduced.

A DHCP server can provide configuration settings using two methods: MAC Address

This method entails using DHCP to identify the unique hardware address of each network card connected to the network and then continually supplying a constant configuration each time the DHCP client makes a request to the DHCP server using that network device.

Address Pool

This method entails defining a pool (sometimes also called a range or scope) of IP addresses from which DHCP clients are supplied their configuration properties dynamically and on a "first come, first served" basis. When a DHCP client is no longer on the network for a specified period, the configuration is expired and released back to the address pool for use by other DHCP Clients.

Ubuntu is shipped with both DHCP server and client. The server is dhcpd (dynamic host configuration protocol daemon). The client provided with Ubuntu is dhclient and should be installed on all computers required to be automatically configured. Both programs are easy to install and configure and will be automatically started at system boot.

3.1. Installation

At a terminal prompt, enter the following command to install dhcpd:

Networking

sudo apt-get install dhcp3-server

You will probably need to change the default configuration by editing /etc/dhcp3/dhcpd.conf to suit your needs and particular configuration.

You also need to edit /etc/default/dhcp3-server to specify the interfaces dhcpd should listen to. By default it listens to eth0.

NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics messages.

3.2. Configuration

The error message the installation ends with might be a little confusing, but the following steps will help you configure the service:

Most commonly, what you want to do is assign an IP address randomly. This can be done with settings as follows:

# Sample /etc/dhcpd.conf # (add your comments here) default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option domain-name-servers 192.168.1.1, 192.168.1.2; option domain-name "mydomain.example";

subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.100; range 192.168.1.150 192.168.1.200; }

This will result in the DHCP server giving a client an IP address from the range

192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600

seconds if the client doesn't ask for a specific time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and

192.168.1.1 and 192.168.1.2 as its DNS servers.

If you need to specify a WINS server for your Windows clients, you will need to include the netbiosname-servers option, e.g.

option netbios-name-servers 192.168.1.1;

Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can be found here12.

http://www.tldp.org/HOWTO/DHCP/index.html

Networking

3.3. References

• The dhcp3-server Ubuntu Wiki13 page has more information.

• For more /etc/dhcp3/dhcpd.conf options see the dhcpd.conf man page14.

• Also see the DHCP FAQ

Networking

4. Time Synchronisation with NTP

This page describes methods for keeping your computer's time accurate. This is useful for servers, but is not necessary (or desirable) for desktop machines.

NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the current time from a server, and uses it to set its own clock.

Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with the tier one NTP servers connected to atomic clocks (often via GPS), and tier two and three servers spreading the load of actually handling requests across the Internet. Also the client software is a lot more complex than you might think - it has to factor out communication delays, and adjust the time in a way that does not upset all the other processes that run on the server. But luckily all that complexity is hidden from you!

Ubuntu has two ways of automatically setting your time: ntpdate and ntpd.

4.1. ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according to Ubuntu's NTP server. However, a server's clock is likely to drift considerably between reboots, so it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run ntpdate every day. With your favorite editor, as root, create a file /etc/cron.daily/ntpdate containing:

ntpdate ntp.ubuntu.com

The file /etc/cron.daily/ntpdate must also be executable.

sudo chmod 755 /etc/cron.daily/ntpdate

4.2. ntpd

ntpdate is a bit of a blunt instrument - it can only adjust the time once a day, in one big correction. The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible.

To set up ntpd:

sudo apt-get install ntp

4.3. Changing Time Servers

In both cases above, your system will use Ubuntu's NTP server at ntp.ubuntu.com by default. This is OK, but you might want to use several servers to increase accuracy and resilience, and you may want to use time servers that are geographically closer to you. to do this for ntpdate, change the contents of

/etc/cron.daily/ntpdate to:

Networking

ntpdate ntp.ubuntu.com pool.ntp.org

And for ntpd edit /etc/ntp.conf to include additional server lines:

server ntp.ubuntu.com server pool.ntp.org

You may notice pool.ntp.org in the examples above. This is a really good idea which uses roundrobin DNS to return an NTP server from a pool, spreading the load between several different servers. Even better, they have pools for different regions - for instance, if you are in New Zealand, so you could use nz.pool.ntp.org instead of pool.ntp.org . Look at http://www.pool.ntp.org/ for more details.

You can also Google for NTP servers in your region, and add these to your configuration. To test that a server works, just type sudo ntpdate ntp.server.name and see what happens.

4.4. References

• See the Ubuntu Time16 wiki page for more information.

• NTP Support

• The NTP FAQ and HOWTO

Chapter 5. Remote Administration

There are many ways to remotely administer a Linux server. This chapter will cover one of the most popular SSH as well as eBox, a web based administration framework.

Remote Administration

1. OpenSSH Server

1.1. Introduction

This section of the Ubuntu Server Guide introduces a powerful collection of tools for the remote control of networked computers and transfer of data between networked computers, called OpenSSH. You will also learn about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system.

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely controlling a computer or transferring files between computers. Traditional tools used to accomplish these functions, such as telnet or rcp, are insecure and transmit the user's password in cleartext when used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote control and file transfer operations, effectively replacing the legacy tools.

The OpenSSH server component, sshd, listens continuously for client connections from any of the client tools. When a connection request occurs, sshd sets up the correct connection depending on the type of client tool connecting. For example, if the remote computer is connecting with the ssh client application, the OpenSSH server sets up a remote control session after authentication. If a remote user connects to an OpenSSH server with scp, the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication. OpenSSH can use many authentication methods, including plain password, public key, and Kerberos tickets.

1.2. Installation

Installation of the OpenSSH client and server applications is simple. To install the OpenSSH client applications on your Ubuntu system, use this command at a terminal prompt:

sudo apt-get install openssh-client

To install the OpenSSH server application, and related support files, use this command at a terminal prompt:

sudo apt-get install openssh-server

The openssh-server package can also be selected to install during the Server Edition installation process.

1.3. Configuration

You may configure the default behavior of the OpenSSH server application, sshd, by editing the file

/etc/ssh/sshd_config. For information about the configuration directives used in this file, you may

view the appropriate manual page with the following command, issued at a terminal prompt:

man sshd_config

Remote Administration

There are many directives in the sshd configuration file controlling such things as communication settings and authentication modes. The following are examples of configuration directives that can be changed by editing the /etc/ssh/sshd_config file.

Prior to editing the configuration file, you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to reuse as necessary.

Copy the /etc/ssh/sshd_config file and protect it from writing with the following commands, issued at a terminal prompt:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original sudo chmod a-w /etc/ssh/sshd_config.original

The following are examples of configuration directives you may change:

• To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the Port directive as such:

Port 2222

• To have sshd allow public key-based login credentials, simply add or modify the line:

PubkeyAuthentication yes

In the /etc/ssh/sshd_config file, or if already present, ensure the line is not commented out.

• To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login banner, simply add or modify the line:

Banner /etc/issue.net

In the /etc/ssh/sshd_config file.

After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd server application to effect the changes using the following command at a terminal prompt:

sudo /etc/init.d/ssh restart

Many other configuration directives for sshd are available for changing the server application's behavior to fit your needs. Be advised, however, if your only method of access to a server is ssh, and you make a mistake in configuring sshd via the /etc/ssh/

sshd_config file, you may find you are locked out of the server upon restarting it, or that

the sshd server refuses to start due to an incorrect configuration directive, so be extra careful when editing this file on a remote server.

1.4. SSH Keys

SSH keys allow authentication between two hosts without the need of a password. SSH key authentication uses two keys a private key and a public key.

Remote Administration

To generate the keys, from a terminal prompt enter:

ssh-keygen -t dsa

This will generate the keys using a DSA authentication identity of the user. During the process you will be prompted for a password. Simply hit Enter when prompted to create the key.

By default the public key is saved in the file ~/.ssh/id_dsa.pub, while ~/.ssh/id_dsa is the private key. Now copy the id_dsa.pub file to the remote host and append it to ~/.ssh/authorized_keys by entering:

ssh-copy-id username@remotehost

Finally, double check the permissions on the authorized_keys file, only the authenticated user should have read and write permissions. If the permissions are not correct change them by:

chmod 600 .ssh/authorized_keys

You should now be able to SSH to the host without being prompted for a password.

1.5. References

• Ubuntu Wiki SSH1 page.

• OpenSSH Website

• Advanced OpenSSH Wiki Page

Remote Administration

2. eBox

eBox is a web framework used to manage server application configuration. The modular design of eBox allows you to pick and choose which services you want to configure using eBox.

2.1. Installation

The different eBox modules are split into different packages, allowing you to only install those necessary. One way to view the available packages is to enter the following from a terminal:

apt-cache rdepends ebox | uniq

To install the ebox package, which contains the default modules, enter the following:

sudo apt-get install ebox

During the installation you will be asked to supply a password for the ebox user. After installing eBox the web interface can be accessed from: https://yourserver/ebox.

2.2. Configuration

An important thing to remember when using eBox is that when configuring most modules there is a Change button that implements the new configuration. After clicking the Change button most, but not all, modules will then need to be Saved. To save the new configuration click on the “Save changes” link in the top right hand corner.

Once you make a change that requires a Save, the link will change from green to red.

2.3. eBox Modules

By default all eBox Modules are not enabled, and when a new module is installed it will not be automatically enabled.

To enable a disabled module click on the Module status link in the left hand menu. Then check which modules you would like to enable and click the “Save” link.

2.3.1. Default Modules

This section provides a quick summary of the default eBox modules.

• System: contains options allowing configuration of general eBox items.

• General: allows you to set the language, port number, and contains a change password form.

• Disk Usage: displays a graph detailing information about disk usage.

• Backup: is used to backup eBox configuration information, and the Full Backup option allows

you to save all eBox information not included in the Configuration option such as log files.

Remote Administration

• Halt/Reboot: will shutdown the system or reboot it.

• Bug Report: creates a file containing details helpful when reporting bugs to the eBox developers.

• Logs: allows eBox logs to be queried depending on the purge time configured.

• Events: this module has the ability to send alerts through rss, jabber, and log file.

• Available Events:

• Free Storage Space: will send alert if free disk space drops below a configured percentage, 10% by default.

• Log Observer: sends an alert when a configured logger has logged something.

• RAID: will monitor the RAID system and send alerts if any issues arise.

• Service: sends alerts if a service restarts multiple times in a short time period.

• State: alerts on the state of eBox, either up or down.

• Dispatchers:

• Log: this dispatcher will send event messages to the eBox log file /var/log/ebox/ebox.log.

• Jabber: before enabling this dispatcher you must first configure it by clicking on the “Configure” icon.

• RSS: once this dispatcher is configured you can subscribe to the link in order to view event alerts.

2.4. Additional Modules

Here is a quick description of other available eBox modules:

• Network: allows configuration of the server's network options through eBox.

• Firewall: configures firewall options for the eBox host.

• UsersandGroups: this module will manage users and groups contained in an OpenLDAP LDAP directory.

• DHCP: provides an interface for configuring a DHCP server.

• DNS: provides BIND9 DNS server configuration options.

• Objects: allow configuration of eBox Network Objects, which allow you to assign a name to an IP address or group of IPs.

• Services: displays configuration information for services that are available to the network.

• Squid: configuration options for the Squid proxy server.

• CA: configures a Certificate Authority for the server.

• NTP: set Network Time Protocol options.

• Printers: allows the configuration of printers.

• Samba: configuration options for Samba.

• OpenVPN: setup options for OpenVPN Virtual Private Network application.

Remote Administration

2.5. Resources

• The eBox Ubuntu Wiki4 page has more details.

• For more information also see the eBox Home Page5.

Chapter 6. Network Authentication

This section explains various Network Authentication protocols.

Network Authentication

1. OpenLDAP Server

LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless, LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself. We will begin with a basic tree containing two nodes below the root:

• "People" node where your users will be stored

• "Groups" node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default, your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is example.com (which we will use in this example), your root node will be dc=example,dc=com.

1.1. Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils

By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration example in the following sections will match the domain name of the server. For example, if the machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com.

1.2. Populating LDAP

OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

The backend cn=config directory has only a minimal configuration and will need additional configuration options in order to populate the frontend directory. The frontend will be populated with a "classical" scheme that will be compatible with address book applications and with Unix Posix accounts. Posix accounts will allow authentication to various applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

For external applications to authenticate using LDAP they will each need to be specifically configured to do so. Refer to the individual application documentation for details.

Network Authentication

Remember to change dc=example,dc=com in the following examples to match your LDAP configuration.

First, some additional schema files need to be loaded. In a terminal enter:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

Next, copy the following example LDIF file, naming it backend.example.com.ldif, somewhere on your system:

# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb

# Database settings dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: secret olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

Change olcRootPW: secret to a password of your choosing.

Now add the LDIF to the directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif

The frontend directory is now ready to be populated. Create a frontend.example.com.ldif with the following contents:

Network Authentication

# Create top-level object in domain dn: dc=example,dc=com objectClass: top objectClass: dcObject objectclass: organization o: Example Organization dc: Example description: LDAP Example

# Admin user. dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret

dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people

dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups

dn: uid=john,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: Doe givenName: John cn: John Doe displayName: John Doe uidNumber: 1000 gidNumber: 10000 userPassword: password gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: john.doe@example.com postalCode: 31000 l: Toulouse o: Example mobile: +33 (0)6 xx xx xx xx

Network Authentication

homePhone: +33 (0)5 xx xx xx xx title: System Administrator postalAddress: initials: JD

dn: cn=example,ou=groups,dc=example,dc=com objectClass: posixGroup cn: example gidNumber: 10000

In this example the directory structure, a user, and a group have been setup. In other examples you might see the objectClass: top added in every entry, but that is the default behaviour so you do not have to add it explicitly.

Add the entries to the LDAP directory:

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif

We can check that the content has been correctly added with the ldapsearch utility. Execute a search of the LDAP directory:

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

dn: uid=john,ou=people,dc=example,dc=com cn: John Doe sn: Doe givenName: John

Just a quick explanation:

• -x: will not use SASL authentication method, which is the default.

• -LLL: disable printing LDIF schema information.

1.3. Further Configuration

The cn=config tree can be manipulated using the utilities in the ldap-utils package. For example:

• Use ldapsearch to view the tree, entering the admin password set during installation or reconfiguration:

sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config

Network Authentication

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config

The output above is the current configuration options for the cn=config backend database. Your output may be vary.

• As an example of modifying the cn=config tree, add another attribute to the index list using ldapmodify:

sudo ldapmodify -Y EXTERNAL -H ldapi:///

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0

dn: olcDatabase={1}hdb,cn=config

add: olcDbIndex

olcDbIndex: uidNumber eq

modifying entry "olcDatabase={1}hdb,cn=config"

Once the modification has completed, press Ctrl+D to exit the utility.

• ldapmodify can also read the changes from a file. Copy and paste the following into a file named

uid_index.ldif:

dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: uid eq,pres,sub

Then execute ldapmodify:

Network Authentication

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config"

The file method is very useful for large changes.

• Adding additional schemas to slapd requires the schema to be converted to LDIF format. The

/etc/ldap/schema directory contains some schema files already converted to LDIF format as

demonstrated in the previous section. Fortunately, the slapd program can be used to automate the conversion. The following example will add the dyngoup.schema:

1. First, create a conversion schema_convert.conf file containing the following lines:

include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema

2. Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

3. Now using slapcat convert the schema files to LDIF:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif

Adjust the configuration file name and temporary directory names if yours are different. Also, it may be worthwhile to keep the ldif_output directory around in case you want to add additional schemas in the future.

4. Edit the /tmp/cn\=dyngroup.ldif file, changing the following attributes:

dn: cn=dyngroup,cn=schema,cn=config ... cn: dyngroup

And remove the following lines from the bottom of the file:

Network Authentication

structuralObjectClass: olcSchemaConfig entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757 creatorsName: cn=config createTimestamp: 20080826021140Z entryCSN: 20080826021140.791425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080826021140Z

The attribute values will vary, just be sure the attributes are removed.

5. Finally, using the ldapadd utility, add the new schema to the directory:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif

There should now be a dn: cn={4}dyngroup,cn=schema,cn=config entry in the cn=config tree.

1.4. LDAP Replication

LDAP often quickly becomes a highly critical service to the network. Multiple systems will come to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to setup a redundant system through replication.

Replication is achieved using the Syncrepl engine. Syncrepl allows the changes to be synced using a consumer, provider model. A provider sends directory changes to consumers.

1.4.1. Provider Configuration

The following is an example of a Single-Master configuration. In this configuration one OpenLDAP server is configured as a provider and another as a consumer.

1. First, configure the provider server. Copy the following to a file named provider_sync.ldif:

# Add indexes to the frontend db. dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN eq

add: olcDbIndex olcDbIndex: entryUUID eq

#Load the syncprov and accesslog modules. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov

Network Authentication

add: olcModuleLoad olcModuleLoad: accesslog

# Accesslog database definitions dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart

# Accesslog db syncprov. dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE

# syncrepl Provider for primary db dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE

# accesslog overlay definitions for primary db dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE # scan the accesslog DB every day, and purge entries older than 7 days olcAccessLogPurge: 07+00:00 01+00:00

2. The AppArmor profile for slapd will need to be adjusted for the accesslog database location. Edit

/etc/apparmor.d/usr.sbin.slapd adding:

/var/lib/ldap/accesslog/ r, /var/lib/ldap/accesslog/** rwk,

Then create the directory, reload the apparmor profile, and copy the DB_CONFIG file:

sudo -u openldap mkdir /var/lib/ldap/accesslog

Network Authentication

sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog/ sudo /etc/init.d/apparmor reload

Using the -u openldap option with the sudo commands above removes the need to adjust permissions for the new directory later.

3. Edit the file and change the olcRootDN to match your directory:

olcRootDN: cn=admin,dc=example,dc=com

4. Next, add the LDIF file using the ldapadd utility:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif

5. Restart slapd:

sudo /etc/init.d/slapd restart

The Provider server is now configured, and it is time to configure a Consumer server.

1.4.2. Consumer Configuration

1. On the Consumer server configure it the same as the Provider except for the Syncrepl

configuration steps.

Add the additional schema files:

Also, create, or copy from the provider server, the backend.example.com.ldif

# Load dynamic backend modules dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: back_hdb

Network Authentication

olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcDbCheckpoint: 512 30 olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to attrs=shadowLastChange by self write by * read olcAccess: to dn.base="" by * read olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

And add the LDIF by entering:

sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif

2. Do the same with the frontend.example.com.ldif file listed above, and add it:

sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif

The two severs should now have the same configuration except for the Syncrepl options.

3. Now create a file named consumer_sync.ldif containing:

#Load the syncprov module. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov

# syncrepl specific indices dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryUUID eq

add: olcSyncRepl olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog

add: olcUpdateRef olcUpdateRef: ldap://ldap01.example.com

You will probably want to change the following attributes:

• ldap01.example.com to your server's hostname.

• binddn

• credentials

• searchbase

• olcUpdateRef:

Network Authentication

4. Add the LDIF file to the configuration tree:

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

The frontend database should now sync between servers. You can add additional servers using the steps above as the need arises.

The slapd daemon will send log information to /var/log/syslog by default. So if all does not go well check there for errors and other troubleshooting information. Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in /etc/

hosts with a line similar to:

127.0.0.1 ldap01.example.com ldap01

1.5. Setting up ACL

Authentication requires access to the password field, that should be not accessible by default. Also, in order for users to change their own password, using passwd or other utilities, shadowLastChange needs to be accessible once a user has authenticated.

To view the Access Control List (ACL) for the cn=config tree, use the ldapsearch utility:

sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break

To see the ACL for the frontend tree enter:

sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess

1.6. TLS and SSL

When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL).

The first step in the process is to obtain or create a certificate. Because slapd is compiled using the gnutls library, the certtool utility will be used to create certificates.

1. First, install gnutls-bin by entering the following in a terminal:

Network Authentication

sudo apt-get install gnutls-bin

2. Next, create a private key for the Certificate Authority (CA):

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

3. Create a /etc/ssl/ca.info details file to self-sign the CA certificate containing:

cn = Example Company ca cert_signing_key

4. Now create the self-signed CA certificate:

sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem \

--template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem

5. Make a private key for the server:

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/ldap01_slapd_key.pem"

Replace ldap01 in the filename with your server's hostname. Naming the certificate and key for the host and service that will be using them will help keep filenames and paths straight.

6. To sign the server's certificate with the CA, create the /etc/ssl/ldap01.info info file

containing:

organization = Example Company cn = ldap01.example.com tls_www_server encryption_key signing_key

7. Create the server's certificate:

sudo certtool --generate-certificate --load-privkey /etc/ssl/private/x01-test_slapd_key.pem \

--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \

--template /etc/ssl/x01-test.info --outfile /etc/ssl/certs/x01-test_slapd_cert.pem

Once you have a certificate, key, and CA cert installed, use ldapmodify to add the new configuration options:

sudo ldapmodify -Y EXTERNAL -H ldapi:///

Enter LDAP Password:

dn: cn=config

add: olcTLSCACertificateFile

Network Authentication

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

modifying entry "cn=config"

Adjust the ldap01_slapd_cert.pem, ldap01_slapd_key.pem, and cacert.pem names if yours are different.

Next, edit /etc/default/slapd uncomment the SLAPD_SERVICES option:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Now the openldap user needs access to the certificate:

sudo adduser openldap ssl-cert sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem

If the /etc/ssl/private and /etc/ssl/private/server.key have different permissions, adjust the commands appropriately.

Finally, restart slapd:

sudo /etc/init.d/slapd restart

The slapd daemon should now be listening for LDAPS connections and be able to use STARTTLS during authentication.

If you run into troubles with the server not starting, check the /var/log/syslog. If you see errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem. Check that the certificate is signed by the authority from in the files configured, and that the ssl-cert group has read permissions on the private key.

1.6.1. TLS Replication

If you have setup Syncrepl between servers, it is prudent to encrypt the replication traffic using

Transport Layer Security (TLS). For details on setting up replication see Section 1.4, “LDAP Replication” [p. 61].

Assuming you have followed the above instructions and created a CA certificate and server certificate on the Provider server. Follow the following instructions to create a certificate and key for the Consumer server.

Network Authentication

1. Create a new key for the Consumer server:

mkdir ldap02-ssl cd ldap02-ssl certtool --generate-privkey > ldap02_slapd_key.pem

Creating a new directory is not strictly necessary, but it will help keep things organized and make it easier to copy the files to the Consumer server.

2. Next, create an info file, ldap02.info for the Consumer server, changing the attributes to match

your locality and server:

country = US state = North Carolina locality = Winston-Salem organization = Example Company cn = ldap02.salem.edu tls_www_client encryption_key signing_key

3. Create the certificate:

sudo certtool --generate-certificate --load-privkey ldap02_slapd_key.pem \

--load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem \

--template ldap02.info --outfile ldap02_slapd_cert.pem

4. Copy the cacert.pem to the dicretory:

cp /etc/ssl/certs/cacert.pem .

5. The only thing left is to copy the ldap02-ssl directory to the Consumer server, then copy

ldap02_slapd_cert.pem and cacert.pem to /etc/ssl/certs, and copy ldap02_slapd_key.pem

to /etc/ssl/private.

6. Once the files are in place adjust the cn=config tree by entering:

sudo ldapmodify -Y EXTERNAL -H ldapi:///

Enter LDAP Password:

dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

Network Authentication

modifying entry "cn=config"

7. As with the Provider you can now edit /etc/default/slapd and add the ldaps:/// parameter to

the SLAPD_SERVICES option.

Now that TLS has been setup on each server, once again modify the Consumer server's cn=config tree by entering the following in a terminal:

sudo ldapmodify -Y EXTERNAL -H ldapi:///

SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0

dn: olcDatabase={1}hdb,cn=config

replace: olcSyncrepl

olcSyncrepl: {0}rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=ad

min,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com" logbas

e="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" s

chemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog starttls=yes

modifying entry "olcDatabase={1}hdb,cn=config"

If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the certificate, you may have to edit /etc/ldap/ldap.conf and add the following TLS options:

TLS_CERT /etc/ssl/certs/ldap02_slapd_cert.pem TLS_KEY /etc/ssl/private/ldap02_slapd_key.pem TLS_CACERT /etc/ssl/certs/cacert.pem

Finally, restart slapd on each of the servers:

sudo /etc/init.d/slapd restart

1.7. LDAP Authentication

Once you have a working LDAP server, the auth-client-config and libnss-ldap packages take the pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a terminal prompt enter:

sudo apt-get install libnss-ldap

During the install a menu dialog will ask you connection details about your LDAP server.

If you make a mistake when entering your information you can execute the dialog again using:

Network Authentication

sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered in the menu edit this file accordingly.

Now that libnss-ldap is configured enable the auth-client-config LDAP profile by entering:

sudo auth-client-config -t nss -p lac_ldap

• -t: only modifies /etc/nsswitch.conf.

• -p: name of the profile to enable, disable, etc.

• lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.

Using the pam-auth-update utility, configure the system to use LDAP for authentication:

sudo pam-auth-update

From the pam-auth-update menu, choose LDAP and any other authentication mechanisms you need.

You should now be able to login using user credentials stored in the LDAP directory.

If you are going to use LDAP to store Samba users you will need to configure the server to authenticate using LDAP. See Section 2, “Samba and LDAP” [p. 74] for details.

1.8. User and Group Management

The ldap-utils package comes with multiple utilities to manage the directory, but the long string of options needed, can make them a burden to use. The ldapscripts package contains configurable scripts to easily manage LDAP users and groups.

To install the package, from a terminal enter:

sudo apt-get install ldapscripts

Next, edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the following to match your environment:

SERVER=localhost BINDDN='cn=admin,dc=example,dc=com' BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX='dc=example,dc=com' GSUFFIX='ou=Groups' USUFFIX='ou=People' MSUFFIX='ou=Computers' GIDSTART=10000

Network Authentication

UIDSTART=10000 MIDSTART=10000

Now, create the ldapscripts.passwd file to allow authenticated access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd" sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

Replace “secret” with the actual password for your LDAP admin user.

The ldapscripts are now ready to help manage your directory. The following are some examples of how to use the scripts:

• Create a new user:

sudo ldapadduser george example

This will create a user with uid george and set the user's primary group (gid) to example

• Change a user's password:

sudo ldapsetpasswd george

Changing password for user uid=george,ou=People,dc=example,dc=com

New Password: New Password (verify):

• Delete a user:

sudo ldapdeleteuser george

• Add a group:

sudo ldapaddgroup qa

• Delete a group:

sudo ldapdeletegroup qa

• Add a user to a group:

sudo ldapaddusertogroup george qa

You should now see a memberUid attribute for the qa group with a value of george.

• Remove a user from a group:

sudo ldapdeleteuserfromgroup george qa

The memberUid attribute should now be removed from the qa group.

Network Authentication

• The ldapmodifyuser script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the ldapmodify utility. For example:

sudo ldapmodifyuser george

# About to modify the following entry : dn: uid=george,ou=People,dc=example,dc=com objectClass: account objectClass: posixAccount cn: george uid: george uidNumber: 1001 gidNumber: 1001 homeDirectory: /home/george loginShell: /bin/bash gecos: george description: User account userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=

# Enter your modifications here, end with CTRL-D. dn: uid=george,ou=People,dc=example,dc=com

replace: gecos gecos: George Carlin

The user's gecos should now be “George Carlin”.

• Another great feature of ldapscripts, is the template system. Templates allow you to customize the attributes of user, group, and machine objectes. For example, to enable the user template edit /etc/

ldapscripts/ldapscripts.conf changing:

UTEMPLATE="/etc/ldapscripts/ldapadduser.template"

There are sample templates in the /etc/ldapscripts directory. Copy or rename the

ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:

sudo cp /etc/ldapscripts/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template

Edit the new template to add the desired attributes. The following will create new user's as with an objectClass of inetOrgPerson:

dn: uid=<user>,<usuffix>,<suffix> objectClass: inetOrgPerson objectClass: posixAccount cn: <user> sn: <ask> uid: <user> uidNumber: <uid> gidNumber: <gid> homeDirectory: <home> loginShell: <shell>

Network Authentication

gecos: <user> description: User account title: Employee

Notice the <ask> option used for the cn value. Using <ask> will configure ldapadduser to prompt you for the attribute value during user creation.

There are more useful scripts in the package, to see a full list enter: dpkg -L ldapscripts | grep bin

1.9. Resources

• The OpenLDAP Ubuntu Wiki1 page has more details.

• For more information see OpenLDAP Home Page

• Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's LDAP

System Administration

• Packt's Mastering OpenLDAP4 is a great reference covering newer versions of OpenLDAP.

• For more information on auth-client-config see the man page: man auth-client-config.

• For more details regarding the ldapscripts package see the man pages: man ldapscripts, man ldapadduser, man ldapaddgroup, etc.

Network Authentication

2. Samba and LDAP

This section covers configuring Samba to use LDAP for user, group, and machine account information and authentication. The assumption is, you already have a working OpenLDAP directory installed and the server is configured to use it for authentication. See Section 1, “OpenLDAP Server” [p. 55] and Section 1.7, “LDAP Authentication” [p. 69] for details on setting up OpenLDAP. For more information on installing and configuring Samba see Chapter 17, Windows Networking [p. 220].

2.1. Installation

There are three packages needed when integrating Samba with LDAP. samba, samba-doc, and smbldap-tools packages . To install the packages, from a terminal enter:

sudo apt-get install samba samba-doc smbldap-tools

Strictly speaking the smbldap-tools package isn't needed, but unless you have another package or custom scripts, a method of managing users, groups, and computer accounts is needed.

2.2. OpenLDAP Configuration

In order for Samba to use OpenLDAP as a passdb backend, the user objects in the directory will need additional attributes. This section assumes you want Samba to be configured as a Windows NT domain controller, and will add the necessary LDAP objects and attributes.

• The Samba attributes are defined in the samba.schema file which is part of the samba-doc package. The schema file needs to be unzipped and copied to /etc/ldap/schema. From a terminal prompt enter:

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/ sudo gzip -d /etc/ldap/schema/samba.schema.gz

• The samba schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in Section 1.3, “Further Configuration” [p. 58].

1. First, create a configuration file named schema_convert.conf, or a similar descriptive name,

containing the following lines:

Network Authentication

include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/samba.schema

2. Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

3. Now use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

Change the above file and path names to match your own if they are different.

4. Edit the generated /tmp/cn\=samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config ... cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95 creatorsName: cn=config createTimestamp: 20080827045234Z entryCSN: 20080827045234.341425Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20080827045234Z

The attribute values will vary, just be sure the attributes are removed.

5. Finally, using the ldapadd utility, add the new schema to the directory:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif

There should now be a dn: cn={X}misc,cn=schema,cn=config, where "X" is the next sequential schema, entry in the cn=config tree.

• Copy and paste the following into a file named samba_indexes.ldif:

dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: uidNumber eq olcDbIndex: gidNumber eq olcDbIndex: loginShell eq

Network Authentication

olcDbIndex: uid eq,pres,sub olcDbIndex: memberUid eq,pres,sub olcDbIndex: uniqueMember eq,pres olcDbIndex: sambaSID eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaSIDList eq olcDbIndex: sambaDomainName eq olcDbIndex: default sub

Using the ldapmodify utility load the new indexes:

ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif

If all went well you should see the new indexes using ldapsearch:

ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb

• Next, configure the smbldap-tools package to match your environment. The package comes with a configuration script that will ask questions about the needed options. To run the script enter:

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz sudo perl /usr/share/doc/smbldap-tools/configure.pl

Once you have answered the questions, there should be /etc/smbldap-tools/smbldap.conf and /

etc/smbldap-tools/smbldap_bind.conf files. These files are generated by the configure script, so

if you made any mistakes while executing the script it may be simpler to edit the file appropriately.

• The smbldap-populate script will add the necessary users, groups, and LDAP objects required for Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with slapcat before executing the command:

sudo slapcat -l backup.ldif

• Once you have a current backup execute smbldap-populate by entering:

sudo smbldap-populate

You can create an LDIF file containing the new Samba objects by executing sudo smbldap-populate -e samba.ldif. This allows you to look over the changes making sure

everything is correct.

Your LDAP directory now has the necessary domain information to authenticate Samba users.

2.3. Samba Configuration

There a multiple ways to configure Samba for details on some common configurations see Chapter 17, Windows Networking [p. 220]. To configure Samba to use LDAP, edit the main Samba

Network Authentication

configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the following:

# passdb backend = tdbsam

# LDAP Settings passdb backend = ldapsam:ldap://hostname ldap suffix = dc=example,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=example,dc=com ldap ssl = start tls ldap passwd sync = yes ... add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Restart samba to enable the new settings:

sudo restart smbd sudo restart nmbd

Now Samba needs to know the LDAP admin password. From a terminal prompt enter:

sudo smbpasswd -w secret

Replacing secret with your LDAP admin password.

If you currently have users in LDAP, and you want them to authenticate using Samba, they will need some Samba attributes defined in the samba.schema file. Add the Samba attributes to existing users using the smbpasswd utility, replacing username with an actual user:

sudo smbpasswd -a username

You will then be asked to enter the user's password.

To add new user, group, and machine accounts use the utilities from the smbldap-tools package. Here are some examples:

• To add a new user to LDAP with Samba attributes enter the following, replacing username with an actual username:

sudo smbldap-useradd -a -P username

The -a option adds the Samba attributes, and the -P options calls the smbldap-passwd utility after the user is created allowing you to enter a password for the user.

Network Authentication

• To remove a user from the directory enter:

sudo smbldap-userdel username

The smbldap-userdel utility also has a -r option to remove the user's home directory.

• Use smbldap-groupadd to add a group, replacing groupname with an appropriate group:

sudo smbldap-groupadd -a groupname

Similar to smbldap-useradd, the -a adds the Samba attributes.

• To add a user to a group use smbldap-groupmod:

sudo smbldap-groupmod -m username groupname

Be sure to replace username with a real user. Also, the -m option can add more than one user at a time by listing them in comma separated format.

• smbldap-groupmod can also be used to remove a user from a group:

sudo smbldap-groupmod -x username groupname

• Additionally, the smbldap-useradd utility can add Samba machine accounts:

sudo smbldap-useradd -t 0 -w username

Replace username with the name of the workstation. The -t 0 option creates the machine account without a delay, while the -w option specifies the user as a machine account. Also, note the add machine script option in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are more useful utilities and options in the smbldap-tools package. The man page for each utility provides more details.

2.4. Resources

• There are multiple places where LDAP and Samba is documented in the Samba HOWTO

Collection5.

• Specifically see the passdb section6.

• Another good site is Samba OpenLDAP HOWTO7.

• Again, for more information on smbldap-tools see the man pages: man smbldap-useradd, man smbldap-groupadd, man smbldap-populate, etc.

• Also, there is a list of Ubuntu wiki8 articles with more information.

Network Authentication

3. Kerberos

Kerberos is a network authentication system based on the principal of a trusted third party. The other two parties being the user and the service the user wishes to authenticate to. Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO).

This section covers installation and configuration of a Kerberos server, and some example client configurations.

3.1. Overview

If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server. Most of the terms will relate to things you may be familiar with in other environments:

• Principal: any users, computers, and services provided by servers need to be defined as Kerberos Principals.

• Instances: are used for service principals and special administrative principals.

• Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS domain converted to uppercase (EXAMPLE.COM).

• Key Distribution Center: (KDC) consist of three parts, a database of all principals, the authentication server, and the ticket granting server. For each realm there must be at least one KDC.

• Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket (TGT) is encrypted in the user's password which is known only to the user and the KDC.

• Ticket Granting Server: (TGS) issues service tickets to clients upon request.

• Tickets: confirm the identity of the two principals. One principal being a user and the other a service requested by the user. Tickets establish an encryption key used for secure communication during the authenticated session.

• Keytab Files: are files extracted from the KDC principal database and contain the encryption key for a service or host.

To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which contains a database of Principals. When a user principal logs into a workstation, configured for Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied credentials match, the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service without entering another username and password.

Network Authentication

3.2. Kerberos Server

3.2.1. Installation

Before installing the Kerberos server a properly configured DNS server is needed for your domain. Since the Kerberos Realm by convention matches the domain name, this section uses the example.com domain configured in Section 2.3, “Primary Master” [p. 95].

Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine and the server differs by more than five minutes (by default), the workstation will not be able to authenticate. To correct the problem all hosts should have their time synchronized using the Network

Time Protocol (NTP). For details on setting up NTP see Section 4, “Time Synchronisation with NTP” [p. 45].

The first step in installing a Kerberos Realm is to install the krb5-kdc and krb5-admin-server packages. From a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server

You will be asked at the end of the install to supply a name for the Kerberos and Admin servers, which may or may not be the same server, for the realm.

Next, create the new realm with the kdb5_newrealm utility:

sudo krb5_newrealm

3.2.2. Configuration

The questions asked during installation are used to configure the /etc/krb5.conf file. If you need to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc daemon.

1. Now that the KDC running an admin user is needed. It is recommended to use a different

username from your everyday username. Using the kadmin.local utility in a terminal prompt enter:

sudo kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc steve/admin WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal "steve/admin@EXAMPLE.COM": Re-enter password for principal "steve/admin@EXAMPLE.COM": Principal "steve/admin@EXAMPLE.COM" created. kadmin.local: quit

Network Authentication

In the above example steve is the Principal, /admin is an Instance, and @EXAMPLE.COM signifies the realm. The "every day" Principal would be steve@EXAMPLE.COM, and should have only normal user rights.

Replace EXAMPLE.COM and steve with your Realm and admin username.

2. Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions.

The permissions are configured in the /etc/krb5kdc/kadm5.acl file:

steve/admin@EXAMPLE.COM *

This entry grants steve/admin the ability to perform any operation on all principals in the realm.

3. Now restart the krb5-admin-server for the new ACL to take affect:

sudo /etc/init.d/krb5-admin-server restart

4. The new user principal can be tested using the kinit utility:

kinit steve/admin

steve/admin@EXAMPLE.COM's Password:

After entering the password, use the klist utility to view information about the Ticket Granting Ticket (TGT):

klist

Credentials cache: FILE:/tmp/krb5cc_1000 Principal: steve/admin@EXAMPLE.COM

Issued Expires Principal Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM

You may need to add an entry into the /etc/hosts for the KDC. For example:

192.168.0.1 kdc01.example.com kdc01

Replacing 192.168.0.1 with the IP address of your KDC.

5. In order for clients to determine the KDC for the Realm some DNS SRV records are needed.

Add the following to /etc/named/db.example.com:

_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com. _kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com. _kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. _kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com. _kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com. _kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.

Network Authentication

Replace EXAMPLE.COM, kdc01, and kdc02 with your domain name, primary KDC, and secondary KDC.

See Chapter 7, Domain Name Service (DNS) [p. 92] for detailed instructions on setting up DNS.

Your new Kerberos Realm is now ready to authenticate clients.

3.3. Secondary KDC

Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a Secondary KDC in case the primary becomes unavailable.

1. First, install the packages, and when asked for the Kerberos and Admin server names enter the

name of the Primary KDC:

sudo apt-get install krb5-kdc krb5-admin-server

2. Once you have the packages installed, create the Secondary KDC's host principal. From a

terminal prompt, enter:

kadmin -q "addprinc -randkey host/kdc02.example.com"

After, issuing any kadmin commands you will be prompted for your username/ admin@EXAMPLE.COM principal password.

3. Extract the keytab file:

kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com"

4. There should now be a keytab.kdc02 in the current directory, move the file to /etc/

krb5.keytab:

sudo mv keytab.kdc02 /etc/krb5.keytab

If the path to the keytab.kdc02 file is different adjust accordingly.

Also, you can list the principals in a Keytab file, which can be useful when troubleshooting, using the klist utility:

sudo klist -k /etc/krb5.keytab

5. Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For

example, on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:

Network Authentication

host/kdc01.example.com@EXAMPLE.COM host/kdc02.example.com@EXAMPLE.COM

6. Create an empty database on the Secondary KDC:

sudo kdb5_util -s create

7. Now start the kpropd daemon, which listens for connections from the kprop utility. kprop is used

to transfer dump files:

sudo kpropd -S

8. From a terminal on the Primary KDC, create a dump file of the principal database:

sudo kdb5_util dump /var/lib/krb5kdc/dump

9. Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:

kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com" sudo mv keytab.kdc01 /etc/krb5.keytab

Make sure there is a host for kdc01.example.com before extracting the Keytab.

10. Using the kprop utility push the database to the Secondary KDC:

sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

There should be a SUCCEEDED message if the propagation worked. If there is an error message check /var/log/syslog on the secondary KDC for more information.

You may also want to create a cron job to periodically update the database on the Secondary KDC. For example, the following will push the database every hour:

# m h dom mon dow command 0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

11. Back on the Secondary KDC, create a stash file to hold the Kerberos master key:

sudo kdb5_util stash

12. Finally, start the krb5-kdc daemon on the Secondary KDC:

sudo /etc/init.d/krb5-kdc start

The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping the krb5-kdc daemon on the Primary KDC, then use kinit to request a ticket. If all goes well you should receive a ticket from the Secondary KDC.

Network Authentication

3.4. Kerberos Linux Client

This section covers configuring a Linux system as a Kerberos client. This will allow access to any kerberized services once a user has successfully logged into the system.

3.4.1. Installation

In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5 packages are needed, along with a few others that are not strictly necessary but make life easier. To install the packages enter the following in a terminal prompt:

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

The auth-client-config package allows simple configuration of PAM for authentication from multiple sources, and the libpam-ccreds will cache authentication credentials allowing you to login in case the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may authenticate using Kerberos while on the corporate network, but will need to be accessed off the network as well.

3.4.2. Configuration

To configure the client in a terminal enter:

sudo dpkg-reconfigure krb5-config

You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS configured with Kerberos SRV records, the menu will prompt you for the hostname of the Key Distribution Center (KDC) and Realm Administration server.

The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm. You should have entries similar to the following:

[libdefaults] default_realm = EXAMPLE.COM ... [realms] EXAMPLE.COM = } kdc = 192.168.0.1 admin_server = 192.168.0.1 }

You can test the configuration by requesting a ticket using the kinit utility. For example:

kinit steve@EXAMPLE.COM

Password for steve@EXAMPLE.COM:

When a ticket has been granted, the details can be viewed using klist:

Network Authentication

klist

Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: steve@EXAMPLE.COM

Valid starting Expires Service principal 07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 07/25/08 05:18:57

Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached

Next, use the auth-client-config to configure the libpam-krb5 module to request a ticket during login:

sudo auth-client-config -a -p kerberos_example

You will should now receive a ticket upon successful login authentication.

3.5. Resources

• For more information on Kerberos see the MIT Kerberos9 site.

• The Ubuntu Wiki Kerberos10 page has more details.

• O'Reilly's Kerberos: The Definitive Guide11 is a great reference when setting up Kerberos.

• Also, feel free to stop by the #ubuntu-server IRC channel on Freenode12 if you have Kerberos questions.

Network Authentication

4. Kerberos and LDAP

Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user database to your network. Fortunately, MIT Kerberos can be configured to use an LDAP directory as a principal database. This section covers configuring a primary and secondary kerberos server to use OpenLDAP for the principal database.

4.1. Configuring OpenLDAP

First, the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication configured between at least two servers. For information on setting up OpenLDAP see Section 1, “OpenLDAP Server” [p. 55].

It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted. See Section 1.6, “TLS and SSL” [p. 65] for details.

• To load the schema into LDAP, on the LDAP server install the krb5-kdc-ldap package. From a terminal enter:

sudo apt-get install krb5-kdc-ldap

• Next, extract the kerberos.schema.gz file:

sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

• The kerberos schema needs to be added to the cn=config tree. The procedure to add a new schema to slapd is also detailed in Section 1.3, “Further Configuration” [p. 58].

1. First, create a configuration file named schema_convert.conf, or a similar descriptive name,

containing the following lines:

2. Create a temporary directory to hold the LDIF files:

Network Authentication

mkdir /tmp/ldif_output

3. Now use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif

Change the above file and path names to match your own if they are different.

4. Edit the generated /tmp/cn\=kerberos.ldif file, changing the following attributes:

dn: cn=kerberos,cn=schema,cn=config ... cn: kerberos

And remove the following lines from the end of the file:

structuralObjectClass: olcSchemaConfig entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc creatorsName: cn=config createTimestamp: 20090111203515Z entryCSN: 20090111203515.326445Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20090111203515Z

The attribute values will vary, just be sure the attributes are removed.

5. Load the new schema with ldapadd:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif

6. Add an index for the krb5principalname attribute:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

add: olcDbIndex

olcDbIndex: krbPrincipalName eq,pres,sub

modifying entry "olcDatabase={1}hdb,cn=config"

7. Finally, update the Access Control Lists (ACL):

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

replace: olcAccess

olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl

e,dc=com" write by anonymous auth by self write by * none

Network Authentication

add: olcAccess

olcAccess: to dn.base="" by * read

add: olcAccess

olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

modifying entry "olcDatabase={1}hdb,cn=config"

That's it, your LDAP directory is now ready to serve as a Kerberos principal database.

4.2. Primary KDC Configuration

With OpenLDAP configured it is time to configure the KDC.

• First, install the necessary packages, from a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

• Now edit /etc/krb5.conf adding the following options to under the appropriate sections:

[libdefaults] default_realm = EXAMPLE.COM

...

[realms] EXAMPLE.COM = { kdc = kdc01.example.com kdc = kdc02.example.com admin_server = kdc01.example.com admin_server = kdc02.example.com default_domain = example.com database_module = openldap_ldapconf }

...

[domain_realm] .example.com = EXAMPLE.COM

...

[dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com

[dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com"

Network Authentication

# this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

# this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com ldap_conns_per_server = 5 }

Change example.com, dc=example,dc=com, cn=admin,dc=example,dc=com, and ldap01.example.com to the appropriate domain, LDAP object, and LDAP server for your

network.

• Next, use the kdb5_ldap_util utility to create the realm:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

• Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn and ldap_kadmin_dn options in /etc/krb5.conf:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

• Copy the CA certificate from the LDAP server:

scp ldap01:/etc/ssl/certs/cacert.pem . sudo cp cacert.pem /etc/ssl/certs

And edit /etc/ldap/ldap.conf to use the certificate:

TLS_CACERT /etc/ssl/certs/cacert.pem

The certificate will also need to be copied to the Secondary KDC, to allow the connection to the LDAP servers using LDAPS.

You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication. To add a principal using the kadmin.local utility enter:

sudo kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password. kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy Enter password for principal "steve@EXAMPLE.COM": Re-enter password for principal "steve@EXAMPLE.COM": Principal "steve@EXAMPLE.COM" created.

Network Authentication

There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the uid=steve,ou=people,dc=example,dc=com user object. Use the kinit and klist utilities to test that the user is indeed issued a ticket.

If the user object is already created the -x dn="..." option is needed to add the Kerberos attributes. Otherwise a new principal object will be created in the realm subtree.

4.3. Secondary KDC Configuration

Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database.

• First, install the necessary packages. In a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

• Next, edit /etc/krb5.conf to use the LDAP backend:

[libdefaults] default_realm = EXAMPLE.COM

...

[domain_realm] .example.com = EXAMPLE.COM

...

[dbdefaults] ldap_kerberos_container_dn = dc=example,dc=com

[dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=example,dc=com"

# this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

Network Authentication

• Create the stash for the LDAP bind password:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

• Now, on the Primary KDC copy the /etc/krb5kdc/.k5.EXAMPLE.COM Master Key stash to the Secondary KDC. Be sure to copy the file over an encrypted connection such as scp, or on physical media.

sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~ sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/

Again, replace EXAMPLE.COM with your actual realm.

• Finally, start the krb5-kdc daemon:

sudo /etc/init.d/krb5-kdc start

You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos server become unavailable.

4.4. Resources

• The Kerberos Admin Guide13 has some additional details.

• For more information on kdb5_ldap_util see Section 5.614 and the kdb5_ldap_util man page15.

• Another useful link is the krb5.conf man page16.

• Also, see the Kerberos and LDAP17 Ubuntu wiki page.

Chapter 7. Domain Name Service (DNS)

Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another. In this way, DNS alleviates the need to remember IP addresses. Computers that run DNS are called name servers. Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on Linux.

Domain Name Service (DNS)

1. Installation

At a terminal prompt, enter the following command to install dns:

sudo apt-get install bind9

A very useful package for testing and troubleshooting DNS issues is the dnsutils package. To install dnsutils enter the following:

sudo apt-get install dnsutils

Domain Name Service (DNS)

2. Configuration

There a many ways to configure BIND9. Some of the most common configurations are a caching nameserver, primary master, and a as a secondary master.

• When configured as a caching nameserver BIND9 will find the answer to name queries and remember the answer when the domain is queried again.

• As a primary master server BIND9 reads the data for a zone from a file on it's host and is authoritative for that zone.

• In a secondary master configuration BIND9 gets the zone data from another nameserver authoritative for the zone.

2.1. Overview

The DNS configuration files are stored in the /etc/bind directory. The primary configuration file is /

etc/bind/named.conf.

The include line specifies the filename which contains the DNS options. The directory line in the /

etc/bind/named.conf.options file tells DNS where to look for files. All files BIND uses will be

relative to this directory.

The file named /etc/bind/db.root describes the root nameservers in the world. The servers change over time, so the /etc/bind/db.root file must be maintained now and then. This is usually done as updates to the bind9 package. The zone section defines a master server, and it is stored in a file mentioned in the file option.

It is possible to configure the same server to be a caching name server, primary master, and secondary master. A server can be the Start of Authority (SOA) for one zone, while providing secondary service for another zone. All the while providing caching services for hosts on the local LAN.

2.2. Caching Nameserver

The default configuration is setup to act as a caching server. All that is required is simply adding the IP Addresses of your ISP's DNS servers. Simply uncomment and edit the following in /etc/bind/

named.conf.options:

forwarders {

1.2.3.4;

5.6.7.8;

};

Replace 1.2.3.4 and 5.6.7.8 with the IP Adresses of actual nameservers.

Now restart the DNS server, to enable the new configuration. From a terminal prompt:

Ubuntu 10.04 LTS User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Ubuntu Server Guide

Table of Contents

Chapter 1. Introduction

1. Support

Chapter 2. Installation

1. Preparing to Install

1.1. System Requirements

1.2. Server and Desktop Differences

1.2.1. Kernel Differences:

1.3. Backing Up

2. Installing from CD

2.1. Package Tasks

3. Upgrading

3.1. do-release-upgrade

4. Advanced Installation

4.1. Software RAID

4.1.1. Partitioning

4.1.2. RAID Configuration

4.1.3. Formatting

4.1.4. Degraded RAID

4.1.5. RAID Maintenance

4.1.6. Resources

4.2. Logical Volume Manager (LVM)

4.2.1. Overview

4.2.2. Installation

4.2.3. Extending Volume Groups

4.2.4. Resources

Chapter 3. Package Management

1. Introduction

2. dpkg

3. Apt-Get

4. Aptitude

5. Automatic Updates

5.1. Notifications

6. Configuration

6.1. Extra Repositories

7. References

Chapter 4. Networking

1. Network Configuration

1.1. Ethernet Interfaces

1.1.1. Identify Ethernet Interfaces

1.1.2. Ethernet Interface Logical Names

1.1.3. Ethernet Interface Settings

1.2. IP Addressing

1.2.1. Temporary IP Address Assignment

1.2.2. Dynamic IP Address Assignment (DHCP Client)

1.2.3. Static IP Address Assignment

1.2.4. Loopback Interface

1.3. Name Resolution

1.3.1. DNS Client Configuration

1.3.2. Static Hostnames

1.3.3. Name Service Switch Configuration

1.4. Bridging

1.5. Resources

2. TCP/IP

2.1. TCP/IP Introduction

2.2. TCP/IP Configuration

2.3. IP Routing

2.4. TCP and UDP

2.5. ICMP

2.6. Daemons

2.7. Resources

3. Dynamic Host Configuration Protocol (DHCP)

3.1. Installation

3.2. Configuration

3.3. References

4. Time Synchronisation with NTP

4.1. ntpdate

4.2. ntpd

4.3. Changing Time Servers

4.4. References

Chapter 5. Remote Administration

1. OpenSSH Server

1.1. Introduction

1.2. Installation

1.3. Configuration