Ubuntu 9.10 User Manual

Ubuntu Server Guide

Ubuntu Server Guide

Copyright © 2008 Canonical Ltd. and members of the Ubuntu Documentation Project

Abstract

Welcome to the Ubuntu Server Guide! It contains information on how to install and configure various server
applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring
and customizing your system.

Credits and License

3

This document is maintained by the Ubuntu documentation team (https://wiki.ubuntu.com/DocumentationTeam). For a list of contributors,
see the contributors page

1

This document is made available under the Creative Commons ShareAlike 2.5 License (CC-BY-SA).

You are free to modify, extend, and improve the Ubuntu documentation source code under the terms of this license. All derivative works
must be released under this license.

This documentation is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER.

A copy of the license is available here: Creative Commons ShareAlike License2.

3

https://launchpad.net/~ubuntu-core-doc

1

../../libs/C/contributors.xml

2

/usr/share/ubuntu-docs/libs/C/ccbysa.xml

Table of Contents

1. Introduction ........................................................................................................................... 1

1. Support .......................................................................................................................... 2

2. Installation ............................................................................................................................. 3

1. Preparing to Install ......................................................................................................... 4

2. Installing from CD ......................................................................................................... 6

3. Upgrading ...................................................................................................................... 9

4. Advanced Installation ................................................................................................... 10

3. Package Management ........................................................................................................... 17

1. Introduction ................................................................................................................. 18

2. dpkg ............................................................................................................................ 19

3. Apt-Get ........................................................................................................................ 20

4. Aptitude ....................................................................................................................... 22

5. Automatic Updates ....................................................................................................... 24

6. Configuration ............................................................................................................... 26

7. References ................................................................................................................... 28

4. Networking .......................................................................................................................... 29

1. Network Configuration ................................................................................................. 30

2. TCP/IP ......................................................................................................................... 34

3. Dynamic Host Configuration Protocol (DHCP) .............................................................. 38

4. Time Synchronisation with NTP ................................................................................... 41

5. Remote Administration ......................................................................................................... 43

1. OpenSSH Server .......................................................................................................... 44

2. eBox ............................................................................................................................ 47

6. Network Authentication ........................................................................................................ 50

1. OpenLDAP Server ....................................................................................................... 51

2. Samba and LDAP ........................................................................................................ 65

3. Kerberos ...................................................................................................................... 70

4. Kerberos and LDAP ..................................................................................................... 77

7. Domain Name Service (DNS) ............................................................................................... 83

1. Installation ................................................................................................................... 84

2. Configuration ............................................................................................................... 85

3. Troubleshooting ........................................................................................................... 90

4. References ................................................................................................................... 94

8. Security ............................................................................................................................... 95

1. User Management ........................................................................................................ 96

2. Console Security ........................................................................................................ 102

3. Firewall ...................................................................................................................... 104

4. AppArmor .................................................................................................................. 111

5. Certificates ................................................................................................................. 115

6. eCryptfs ..................................................................................................................... 120

iii

Ubuntu Server Guide

9. Monitoring ......................................................................................................................... 122

1. Overview ................................................................................................................... 123

2. Nagios ....................................................................................................................... 124

3. Munin ........................................................................................................................ 128

10. Web Servers ..................................................................................................................... 130

1. HTTPD - Apache2 Web Server ................................................................................... 131

2. PHP5 - Scripting Language ......................................................................................... 138

3. Squid - Proxy Server .................................................................................................. 140

4. Ruby on Rails ............................................................................................................ 142

5. Apache Tomcat .......................................................................................................... 144

11. Databases ......................................................................................................................... 148

1. MySQL ...................................................................................................................... 149

2. PostgreSQL ................................................................................................................ 151

12. LAMP Applications .......................................................................................................... 153

1. Overview ................................................................................................................... 154

2. Moin Moin ................................................................................................................. 155

3. MediaWiki ................................................................................................................. 157

4. phpMyAdmin ............................................................................................................. 159

13. File Servers ...................................................................................................................... 161

1. FTP Server ................................................................................................................. 162

2. Network File System (NFS) ........................................................................................ 166

3. CUPS - Print Server ................................................................................................... 168

14. Email Services .................................................................................................................. 171

1. Postfix ....................................................................................................................... 172

2. Exim4 ........................................................................................................................ 179

3. Dovecot Server ........................................................................................................... 182

4. Mailman .................................................................................................................... 184

5. Mail Filtering ............................................................................................................. 190

15. Chat Applications ............................................................................................................. 196

1. Overview ................................................................................................................... 197

2. IRC Server ................................................................................................................. 198

3. Jabber Instant Messaging Server .................................................................................. 200

16. Version Control System .................................................................................................... 202

1. Bazaar ........................................................................................................................ 203

2. Subversion ................................................................................................................. 204

3. CVS Server ................................................................................................................ 209

4. References ................................................................................................................. 211

17. Windows Networking ....................................................................................................... 212

1. Introduction ................................................................................................................ 213

2. Samba File Server ...................................................................................................... 214

3. Samba Print Server ..................................................................................................... 216

4. Securing a Samba File and Print Server ....................................................................... 217

iv

Ubuntu Server Guide

5. Samba as a Domain Controller .................................................................................... 221

6. Samba Active Directory Integration ............................................................................. 225

7. Likewise Open ........................................................................................................... 227

18. Backups ........................................................................................................................... 231

1. Shell Scripts ............................................................................................................... 232

2. Archive Rotation ........................................................................................................ 236

3. Bacula ........................................................................................................................ 239

19. Virtualization .................................................................................................................... 244

1. libvirt ......................................................................................................................... 245

2. JeOS and vmbuilder ................................................................................................... 250

3. Eucalyptus ................................................................................................................. 260

4. OpenNebula ............................................................................................................... 262

20. Clustering ......................................................................................................................... 265

1. DRBD ........................................................................................................................ 266

21. VPN ................................................................................................................................. 269

1. OpenVPN .................................................................................................................. 270

22. Other Useful Applications ................................................................................................. 274

1. Update MOTD ........................................................................................................... 275

2. etckeeper .................................................................................................................... 277

3. Screen Profiles ........................................................................................................... 279

4. References ................................................................................................................. 281

v

List of Tables

2.1. Recommended Minimum Requirements ................................................................................ 4

16.1. Access Methods ............................................................................................................. 205

vi

Chapter 1. Introduction

Welcome to the Ubuntu Server Guide!

Here you can find information on how to install and configure various server applications. It is a step­by-step, task-oriented guide for configuring and customizing your system.

This guide assumes you have a basic understanding of your Ubuntu system. Some installation details
are covered in Chapter 2, Installation [p. 3], but if you need detailed instructions installing
Ubuntu please refer to the Ubuntu Installation Guide1.

A HTML version of the manual is available online at the Ubuntu Documentation website2. The
HTML files are also available in the ubuntu-serverguide package. See Chapter 3, Package
Management [p. 17] for details on installing packages.

If you choose to install the ubuntu-serverguide you can view this document from a console by:

w3m /usr/share/ubuntu-serverguide/html/en_GB/index.html

Replace en_GB with your language localization.

1

https://help.ubuntu.com/9.10/installation-guide/

2

http://help.ubuntu.com

1

Introduction

1. Support

There a couple of different ways that Ubuntu Server Edition is supported, commercial support and
community support. The main commercial support (and development funding) is available from
Canonical Ltd. They supply reasonably priced support contracts on a per desktop or per server basis.
For more information see the Canonical Services3 page.

Community support is also provided by dedicated individuals, and companies, that wish to make
Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC
channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming,
but a good search engine query can usually provide an answer to your questions. See the Ubuntu

Support4 page for more information.

3

http://www.canonical.com/services/support

4

http://www.ubuntu.com/support

2

Chapter 2. Installation

This chapter provides a quick overview of installing Ubuntu 9.10 Server Edition. For more detailed
instructions, please refer to the Ubuntu Installation Guide1.

1

https://help.ubuntu.com/9.10/installation-guide/

3

Installation

1. Preparing to Install

This section explains various aspects to consider before starting the installation.

1.1. System Requirements

Ubuntu 9.10 Server Edition supports two (2) major architectures: Intel x86 and AMD64. The table
below lists recommended hardware specifications. Depending on your needs, you might manage with
less than this. However, most users risk being frustrated if they ignore these suggestions.

Table 2.1. Recommended Minimum Requirements

Hard Drive Space

Install Type RAM

Server 128 megabytes 500

The Server Edition provides a common base for all sorts of server applications. It is a minimalist
design providing a platform for the desired services, such as file/print services, web hosting, email
hosting, etc.

Base

All Tasks Installed

System

1 gigabyte

megabytes

1.2. Server and Desktop Differences

There are a few differences between the Ubuntu Server Edition and the Ubuntu Desktop Edition. It
should be noted that both editions use the same apt repositories. Making it just as easy to install a
server application on the Desktop Edition as it is on the Server Edition.

The differences between the two editions are the lack of an X window environment in the Server
Edition, the installation process, and different Kernel options.

1.2.1. Kernel Differences:

• The Server Edition uses the Deadline I/O scheduler instead of the CFQ scheduler used by the
Desktop Edition.

• Preemption is turned off in the Server Edition.

• The timer interrupt is 100 Hz in the Server Edition and 250 Hz in the Desktop Edition.

When running a 64-bit version of Ubuntu on 64-bit processors you are not limited by
memory addressing space.

To see all kernel configuration options you can look through /boot/config-2.6.31-server. Also,

Linux Kernel in a Nutshell2 is a great resource on the options available.

2

http://www.kroah.com/lkn/

4

Installation

1.3. Backing Up

• Before installing Ubuntu Server Edition you should make sure all data on the system is backed up.
See Chapter 18, Backups [p. 231] for backup options.

If this is not the first time an operating system has been installed on your computer, it is likely you
will need to re-partition your disk to make room for Ubuntu.

Any time you partition your disk, you should be prepared to lose everything on the disk should you
make a mistake or something goes wrong during partitioning. The programs used in installation are
quite reliable, most have seen years of use, but they also perform destructive actions.

5

Installation

2. Installing from CD

The basic steps to install Ubuntu Server Edition from CD are the same for installing any operating
system from CD. Unlike the Desktop Edition the Server Edition does not include a graphical
installation program. Instead the Server Edition uses a console menu based process.

• First, download and burn the appropriate ISO file from the Ubuntu web site3.

• Boot the system from the CD-ROM drive.

• At the boot prompt you will be asked to select the language. Afterwards the installation process
begins by asking for your keyboard layout.

• The installer then discovers your hardware configuration, and configures the network settings using
DHCP. If you do not wish to use DHCP at the next screen choose "Go Back", and you have the
option to "Configure the network manually".

• Next, the installer asks for the system's hostname and Time Zone.

• You can then choose from several options to configure the hard drive layout. For advanced disk
options see Section 4, “Advanced Installation” [p. 10].

• The Ubuntu base system is then installed.

• A new user is setup, this user will have root access through the sudo utility.

• After the user is setup, you will be asked to encrypt your home directory.

• The next step in the installation process is to decide how you want to update the system. There are
three options:

• No automatic updates: this requires an administrator to log into the machine and manually install

updates.

• Install security updates Automatically: will install the unattended-upgrades package, which

will install security updates without the intervention of an administrator. For more details see
Section 5, “Automatic Updates” [p. 24].

• Manage the system with Landscape: Landscape is a paid service provided by Canonical to help

manage your Ubuntu machines. See the Landscape4 site for details.

• You now have the option to install, or not install, several package tasks. See Section 2.1, “Package
Tasks” [p. 7] for details. Also, there is an option to launch aptitude to choose specific
packages to install. For more information see Section 4, “Aptitude” [p. 22].

• Finally, the last step before rebooting is to set the clock to UTC.

If at any point during installation you are not satisfied by the default setting, use the "Go
Back" function at any prompt to be brought to a detailed installation menu that will allow
you to modify the default settings.

At some point during the installation process you may want to read the help screen provided by the
installation system. To do this, press F1.

6

Installation

Once again, for detailed instructions see the Ubuntu Installation Guide5.

2.1. Package Tasks

During the Server Edition installation you have the option of installing additional packages from the
CD. The packages are grouped by the type of service they provide.

• DNS server: Selects the BIND DNS server and its documentation.

• LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server.

• Mail server: This task selects a variety of package useful for a general purpose mail server system.

• OpenSSH server: Selects packages needed for an OpenSSH server.

• PostgreSQL database: This task selects client and server packages for the PostgreSQL database.

• Print server: This task sets up your system to be a print server.

• Samba File server: This task sets up your system to be a Samba file server, which is especially
suitable in networks with both Windows and Linux systems.

• Tomcat server: Installs the Apache Tomcat and needed dependencies Java, gcj, etc.

• Virtual machine host: Includes packages needed to run KVM virtual machines.

Installing the package groups is accomplished using the tasksel utility. One of the important
difference between Ubuntu (or Debian) and other GNU/Linux distribution is that, when installed, a
package is also configured to reasonable defaults, eventually prompting you for additional required
information. Likewise, when installing a task, the packages are not only installed, but also configured
to provided a fully integrated service.

Once the installation process has finished you can view a list of available tasks by entering the
following from a terminal prompt:

tasksel --list-tasks

The output will list tasks from other Ubuntu based distributions such as Kubuntu and
Edubuntu. Note that you can also invoke the tasksel command by itself, which will bring up
a menu of the different tasks available.

You can view a list of which packages are installed with each task using the --task-packages option.
For example, to list the packages installed with the DNS Server task enter the following:

tasksel --task-packages dns-server

The output of the command should list:

bind9-doc

5

https://help.ubuntu.com/9.10/installation-guide/

7

Installation

bind9utils
bind9

Also, if you did not install one of the tasks during the installation process, but for example you decide
to make your new LAMP server a DNS server as well. Simply insert the installation CD and from a
terminal:

sudo tasksel install dns-server

8

Installation

3. Upgrading

There are several ways to upgrade from one Ubuntu release to another. This section gives an overview
of the recommended upgrade method.

3.1. do-release-upgrade

The recommended way to upgrade a Server Edition installation is to use the do-release-upgrade
utility. Part of the update-manager-core package, it does not have any graphical dependencies and is
installed by default.

Debian based systems can also be upgraded by using apt-get dist-upgrade. However, using do­release-upgrade is recommended because it has the ability to handle system configuration changes
sometimes needed between releases.

To upgrade to a newer release, from a terminal prompt enter:

do-release-upgrade

It is also possible to use do-release-upgrade to upgrade to a development version of Ubuntu. To
accomplish this use the -d switch:

do-release-upgrade -d

Upgrading to a development release is not recommended for production environments.

9

Installation

4. Advanced Installation

4.1. Software RAID

RAID is a method of configuring multiple hard drives to act as one, reducing the probability of
catastrophic data loss in case of drive failure. RAID is implemented in either software (where the
operating system knows about both drives and actively maintains both of them) or hardware (where a
special controller makes the OS think there's only one drive and maintains the drives 'invisibly').

The RAID software included with current versions of Linux (and Ubuntu) is based on the 'mdadm'
driver and works very well, better even than many so-called 'hardware' RAID controllers. This section
will guide you through installing Ubuntu Server Edition using two RAID1 partitions on two physical
hard drives, one for / and another for swap.

4.1.1. Partitioning

Follow the installation steps until you get to the Partition disks step, then:

1. Select Manual as the partition method.

2. Select the first hard drive, and agree to "Create a new empty partition table on this device?".

Repeat this step for each drive you wish to be part of the RAID array.

3. Select the "FREE SPACE" on the first drive then select "Create a new partition".

4. Next, select the Size of the partition. This partition will be the swap partition, and a general

rule for swap size is twice that of RAM. Enter the partition size, then choose Primary, then
Beginning.

5. Select the "Use as:" line at the top. By default this is "Ext3 journaling file system", change that to

"physical volume for RAID" then "Done setting up partition".

6. For the / partition once again select "Free Space" on the first drive then "Create a new partition".

7. Use the rest of the free space on the drive and choose Continue, then Primary.

8. As with the swap partition, select the "Use as:" line at the top, changing it to "physical volume

for RAID" then choose "Done setting up partition".

9. Repeat steps three through eight for the other disk and partitions.

4.1.2. RAID Configuration

With the partitions setup the arrays are ready to be configured:

1. Back in the main "Partition Disks" page, select "Configure Software RAID" at the top.

2. Select "yes" to write the changes to disk.

3. Choose "Create MD drive".

10

Installation

4. For this example, select "RAID1", but if you are using a different setup choose the appropriate

type (RAID0 RAID1 RAID5).

In order to use RAID5 you need at least three drives. Using RAID0 or RAID1 only two
drives are required.

5. Enter the number of active devices "2", or the amount of hard drives you have, for the array.

Then select "Continue".

6. Next, enter the number of spare devices "0" by default, then choose "Continue".

7. Choose which partitions to use. Generally they will be sda1, sdb1, sdc1, etc. The numbers will

usually match and the different letters correspond to different hard drives.

For the swap partition choose sda1 and sdb1. Select "Continue" to go to the next step.

8. Repeat steps three through seven for the / partition choosing sda2 and sdb2.

9. Once done select "Finish".

4.1.3. Formatting

There should now be a list of hard drives and RAID devices. The next step is to format and set the
mount point for the RAID devices. Treat the RAID device as a local hard drive, format and mount
accordingly.

1. Select the RAID1 device #0 partition.

2. Choose "Use as:". Then select "swap area", then "Done setting up partition".

3. Next, select the RAID1 device #1 partition.

4. Choose "Use as:". Then select "Ext3 journaling file system".

5. Then select the "Mount point" and choose "/ - the root file system". Change any of the other

options as appropriate, then select "Done setting up partition".

6. Finally, select "Finish partitioning and write changes to disk".

If you choose to place the root partition on a RAID array, the installer will then ask if you would like
to boot in a degraded state. See Section 4.1.4, “Degraded RAID” [p. 11] for further details.

The installation process will then continue normally.

4.1.4. Degraded RAID

At some point in the life of the computer a disk failure event may occur. When this happens, using
Software RAID, the operating system will place the array into what is known as a degraded state.

If the array has become degraded, due to the chance of data corruption, by default Ubuntu Server
Edition will boot to initramfs after thirty seconds. Once the initramfs has booted there is a fifteen
second prompt giving you the option to go ahead and boot the system, or attempt manual recover.
Booting to the initramfs prompt may or may not be the desired behavior, especially if the machine is
in a remote location. Booting to a degraded array can be configured several ways:

11

Installation

• The dpkg-reconfigure utility can be used to configure the default behavior, and during the process
you will be queried about additional settings related to the array. Such as monitoring, email alerts,
etc. To reconfigure mdadm enter the following:

sudo dpkg-reconfigure mdadm

• The dpkg-reconfigure mdadm process will change the /etc/initramfs-tools/conf.d/mdadm
configuration file. The file has the advantage of being able to pre-configure the system's behavior,
and can also be manually edited:

BOOT_DEGRADED=true

The configuration file can be overridden by using a Kernel argument.

• Using a Kernel argument will allow the system to boot to a degraded array as well:

• When the server is booting press ESC to open the Grub menu.

• Press "e" to edit your Kernel command options.

• Press the DOWN arrow to highlight the kernel line.

• Press the "e" key again to edit the kernel line.

• Add "bootdegraded=true" (without the quotes) to the end of the line.

• Press "ENTER".

• Finally, press "b" to boot the system.

Once the system has booted you can either repair the array see Section 4.1.5, “RAID
Maintenance” [p. 12] for details, or copy important data to another machine due to major
hardware failure.

4.1.5. RAID Maintenance

The mdadm utility can be used to view the status of an array, add disks to an array, remove disks, etc:

• To view the status of an array, from a terminal prompt enter:

sudo mdadm -D /dev/md0

The -D tells mdadm to display detailed information about the /dev/md0 device. Replace /dev/md0
with the appropriate RAID device.

• To view the status of a disk in an array:

sudo mdadm -E /dev/sda1

The output if very similar to the mdadm -D command, adjust /dev/sda1 for each disk.

• If a disk fails and needs to be removed from an array enter:

12

Installation

sudo mdadm --remove /dev/md0 /dev/sda1

Change /dev/md0 and /dev/sda1 to the appropriate RAID device and disk.

• Similarly, to add a new disk:

sudo mdadm --add /dev/md0 /dev/sda1

Sometimes a disk can change to a faulty state even though there is nothing physically wrong with
the drive. It is usually worthwhile to remove the drive from the array then re-add it. This will cause
the drive to re-sync with the array. If the drive will not sync with the array, it is a good indication of
hardware failure.

The /proc/mdstat file also contains useful information about the system's RAID devices:

cat /proc/mdstat

Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md0 : active raid1 sda1[0] sdb1[1]
10016384 blocks [2/2] [UU]

unused devices: <none>

The following command is great for watching the status of a syncing drive:

watch -n1 cat /proc/mdstat

Press Ctrl+c to stop the watch command.

If you do need to replace a faulty drive, after the drive has been replaced and synced, grub will need
to be installed. To install grub on the new drive, enter the following:

sudo grub-install /dev/md0

Replace /dev/md0 with the appropriate array device name.

4.1.6. Resources

The topic of RAID arrays is a complex one due to the plethora of ways RAID can be configured.
Please see the following links for more information:

• Software RAID HOWTO

• Managing RAID on Linux

6

7

4.2. Logical Volume Manager (LVM)

Logical Volume Manger, or LVM, allows administrators to create logical volumes out of one or
multiple physical hard disks. LVM volumes can be created on both software RAID partitions and

13

Installation

standard partitions residing on a single disk. Volumes can also be extended, giving greater flexibility
to systems as requirements change.

4.2.1. Overview

A side effect of LVM's power and flexibility is a greater degree of complication. Before diving into
the LVM installation process, it is best to get familiar with some terms.

• Volume Group (VG): contains one or several Logical Volumes (LV).

• Logical Volume (LV): is similar to a partition in a non-LVM system. Multiple Physical Volumes
(PV) can make up one LV, on top of which resides the actual EXT3, XFS, JFS, etc filesystem.

• Physical Volume (PV): physical hard disk or software RAID partition. The Volume Group can be
extended by adding more PVs.

4.2.2. Installation

As an example this section covers installing Ubuntu Server Edition with /srv mounted on a LVM
volume. During the initial install only one Physical Volume (PV) will be part of the Volume Group
(VG). Another PV will be added after install to demonstrate how a VG can be extended.

There are several installation options for LVM, "Guided - use the entire disk and setup LVM" which
will also allow you to assign a portion of the available space to LVM, "Guided - use entire and setup
encrypted LVM", or Manually setup the partitions and configure LVM. At this time the only way to
configure a system with both LVM and standard partitions, during installation, is to use the Manual
approach.

1. Follow the installation steps until you get to the Partition disks step, then:

2. At the "Partition Disks screen choose "Manual".

3. Select the hard disk and on the next screen choose "yes" to "Create a new empty partition table

on this device".

4. Next, create standard /boot, swap, and / partitions with whichever filesystem you prefer.

5. For the LVM /srv, create a new Logical partition. Then change "Use as" to "physical volume for

LVM" then "Done setting up the partition".

6. Now select "Configure the Logical Volume Manager" at the top, and choose "Yes" to write the

changes to disk.

7. For the "LVM configuration action" on the next screen, choose "Create volume group". Enter a

name for the VG such as vg01, or something more descriptive. After entering a name, select the
partition configured for LVM, and choose "Continue".

8. Back at the "LVM configuration action" screen, select "Create logical volume". Select the

newly created volume group, and enter a name for the new LV, for example srv since that is the
intended mount point. Then choose a size, which may be the full partition because it can always
be extended later. Choose "Finish" and you should be back at the main "Partition Disks" screen.

14

Installation

9. Now add a filesystem to the new LVM. Select the partition under "LVM VG vg01, LV srv", or

whatever name you have chosen, the choose Use as. Setup a file system as normal selecting /srv
as the mount point. Once done, select "Done setting up the partition".

10. Finally, select "Finish partitioning and write changes to disk". Then confirm the changes and

continue with the rest of the installation.

There are some useful utilities to view information about LVM:

• vgdisplay: shows information about Volume Groups.

• lvdisplay: has information about Logical Volumes.

• pvdisplay: similarly displays information about Physical Volumes.

4.2.3. Extending Volume Groups

Continuing with srv as an LVM volume example, this section covers adding a second hard disk,
creating a Physical Volume (PV), adding it to the volume group (VG), extending the logical volume

srv and finally extending the filesystem. This example assumes a second hard disk has been added to

the system. This hard disk will be named /dev/sdb in our example. BEWARE: make sure you don't
already have an existing /dev/sdb before issuing the commands below. You could lose some data
if you issue those commands on a non-empty disk. In our example we will use the entire disk as a
physical volume (you could choose to create partitions and use them as different physical volumes)

1. First, create the physical volume, in a terminal execute:

sudo pvcreate /dev/sdb

2. Now extend the Volume Group (VG):

sudo vgextend vg01 /dev/sdb

3. Use vgdisplay to find out the free physical extents - Free PE / size (the size you can allocate). We

will assume a free size of 511 PE (equivalent to 2GB with a PE size of 4MB) and we will use the
whole free space available. Use your own PE and/or free space.

The Logical Volume (LV) can now be extended by different methods, we will only see how to
use the PE to extend the LV:

sudo lvextend /dev/vg01/srv -l +511

The -l option allows the LV to be extended using PE. The -L option allows the LV to be
extended using Meg, Gig, Tera, etc bytes.

4. Even though you are supposed to be able to expand an ext3 or ext4 filesystem without

unmounting it first, it may be a good pratice to unmount it anyway and check the filesystem, so
that you don't mess up the day you want to reduce a logical volume (in that case unmounting first
is compulsory).

15

Installation

The following commands are for an EXT3 or EXT4 filesystem. If you are using another
filesystem there may be other utilities available.

sudo umount /srv
sudo e2fsck -f /dev/vg01/srv

The -f option of e2fsck forces checking even if the system seems clean.

5. Finally, resize the filesystem:

sudo resize2fs /dev/vg01/srv

6. Now mount the partition and check its size.

mount /dev/vg01/srv /srv && df -h /srv

4.2.4. Resources

• See the LVM HOWTO8 for more information.

• Another good article is Managing Disk Space with LVM9 on O'Reilly's linuxdevcenter.com site.

• For more information on fdisk see the fdisk man page10.

16

Chapter 3. Package Management

Ubuntu features a comprehensive package management system for the installation, upgrade,
configuration, and removal of software. In addition to providing access to an organized base of over
24,000 software packages for your Ubuntu computer, the package management facilities also feature
dependency resolution capabilities and software update checking.

Several tools are available for interacting with Ubuntu's package management system, from simple
command-line utilities which may be easily automated by system administrators, to a simple graphical
interface which is easy to use by those new to Ubuntu.

17

Package Management

1. Introduction

Ubuntu's package management system is derived from the same system used by the Debian GNU/
Linux distribution. The package files contain all of the necessary files, meta-data, and instructions to
implement a particular functionality or software application on your Ubuntu computer.

Debian package files typically have the extension '.deb', and typically exist in repositories which are
collections of packages found on various media, such as CD-ROM discs, or online. Packages are
normally of the pre-compiled binary format; thus installation is quick and requires no compiling of
software.

Many complex packages use the concept of dependencies. Dependencies are additional packages
required by the principal package in order to function properly. For example, the speech synthesis
package Festival depends upon the package libasound2, which is a package supplying the
ALSA sound library needed for audio playback. In order for Festival to function, it and all of its
dependencies must be installed. The software management tools in Ubuntu will do this automatically.

18

Package Management

2. dpkg

dpkg is a package manager for Debian based systems. It can install, remove, and build packages, but
unlike other package management system's it can not automatically download and install packages
and their dependencies. This section covers using dpkg to manage locally installed packages:

• To list all packages installed on the system, from a terminal prompt enter:

dpkg -l

• Depending on the amount of packages on your system, this can generate a large amount of output.
Pipe the output through grep to see if a specific package is installed:

dpkg -l | grep apache2

Replace apache2 with any package name, part of a package name, or other regular expression.

• To list the files installed by a package, in this case the ufw package, enter:

dpkg -L ufw

• If you are not sure which package installed a file, dpkg -S may be able to tell you. For example:

dpkg -S /etc/host.conf

base-files: /etc/host.conf

The output shows that the /etc/host.conf belongs to the base-files package.

Many files are automatically generated during the package install process, and even
though they are on the filesystem dpkg -S may not know which package they belong to.

• You can install a local .deb file by entering:

sudo dpkg -i zip_2.32-1_i386.deb

Change zip_2.32-1_i386.deb to the actual file name of the local .deb file.

• Uninstalling a package can be accomplished by:

sudo dpkg -r zip

Uninstalling packages using dpkg, in most cases, is NOT recommended. It is better to use
a package manager that handles dependencies, to ensure that the system is in a consistent
state. For example using dpkg -r you can remove the zip package, but any packages that
depend on it will still be installed and may no longer function correctly.

For more dpkg options see the man page: man dpkg.

19

Package Management

3. Apt-Get

The apt-get command is a powerful command-line tool used to work with Ubuntu's Advanced
Packaging Tool (APT) performing such functions as installation of new software packages, upgrade

of existing software packages, updating of the package list index, and even upgrading the entire
Ubuntu system.

Being a simple command-line tool, apt-get has numerous advantages over other package management
tools available in Ubuntu for server administrators. Some of these advantages include ease of use over
simple terminal connections (SSH) and the ability to be used in system administration scripts, which
can in turn be automated by the cron scheduling utility.

Some examples of popular uses for the apt-get utility:

• Install a Package: Installation of packages using the apt-get tool is quite simple. For example, to
install the network scanner nmap, type the following:

sudo apt-get install nmap

• Remove a Package: Removal of a package or packages is also a straightforward and simple
process. To remove the nmap package installed in the previous example, type the following:

sudo apt-get remove nmap

Multiple Packages: You may specify multiple packages to be installed or removed,
separated by spaces.

Also, adding the --purge options to apt-get remove will remove the package configuration files as
well. This may or may not be the desired effect so use with caution.

• Update the Package Index: The APT package index is essentially a database of available
packages from the repositories defined in the /etc/apt/sources.list file. To update the local
package index with the latest changes made in repositories, type the following:

sudo apt-get update

• Upgrade Packages: Over time, updated versions of packages currently installed on your computer
may become available from the package repositories (for example security updates). To upgrade
your system, first update your package index as outlined above, and then type:

sudo apt-get upgrade

For information on upgrading to a new Ubuntu release see Section 3, “Upgrading” [p. 9].

Actions of the apt-get command, such as installation and removal of packages, are logged in the /var/
log/dpkg.log log file.

20

Package Management

For further information about the use of APT, read the comprehensive Debian APT User Manual1 or
type:

apt-get help

1

http://www.debian.org/doc/user-manuals#apt-howto

21

Package Management

4. Aptitude

Aptitude is a menu-driven, text-based front-end to the Advanced Packaging Tool (APT) system.
Many of the common package management functions, such as installation, removal, and upgrade, are
performed in Aptitude with single-key commands, which are typically lowercase letters.

Aptitude is best suited for use in a non-graphical terminal environment to ensure proper functioning
of the command keys. You may start Aptitude as a normal user with the following command at a
terminal prompt:

sudo aptitude

When Aptitude starts, you will see a menu bar at the top of the screen and two panes below the menu
bar. The top pane contains package categories, such as New Packages and Not Installed Packages.
The bottom pane contains information related to the packages and package categories.

Using Aptitude for package management is relatively straightforward, and the user interface makes
common tasks simple to perform. The following are examples of common package management
functions as performed in Aptitude:

• Install Packages: To install a package, locate the package via the Not Installed Packages package
category, for example, by using the keyboard arrow keys and the ENTER key, and highlight the
package you wish to install. After highlighting the package you wish to install, press the + key,
and the package entry should turn green, indicating it has been marked for installation. Now press
g to be presented with a summary of package actions. Press g again, and you will be prompted to
become root to complete the installation. Press ENTER which will result in a Password: prompt.
Enter your user password to become root. Finally, press g once more and you'll be prompted to
download the package. Press ENTER on the Continue prompt, and downloading and installation of
the package will commence.

• Remove Packages: To remove a package, locate the package via the Installed Packages package
category, for example, by using the keyboard arrow keys and the ENTER key, and highlight the
package you wish to remove. After highlighting the package you wish to install, press the - key,
and the package entry should turn pink, indicating it has been marked for removal. Now press g
to be presented with a summary of package actions. Press g again, and you will be prompted to
become root to complete the installation. Press ENTER which will result in a Password: prompt.
Enter your user password to become root. Finally, press g once more, and you'll be prompted to
download the package. Press ENTER on the Continue prompt, and removal of the package will
commence.

• Update Package Index: To update the package index, simply press the u key and you will be
prompted to become root to complete the update. Press ENTER which will result in a Password:
prompt. Enter your user password to become root. Updating of the package index will commence.
Press ENTER on the OK prompt when the download dialog is presented to complete the process.

• Upgrade Packages: To upgrade packages, perform the update of the package index as detailed
above, and then press the U key to mark all packages with updates. Now press g whereby you'll be

22

Package Management

presented with a summary of package actions. Press g again, and you will be prompted to become
root to complete the installation. Press ENTER which will result in a Password: prompt. Enter your
user password to become root. Finally, press g once more, and you'll be prompted to download the
packages. Press ENTER on the Continue prompt, and upgrade of the packages will commence.

The first column of information displayed in the package list in the top pane, when actually viewing
packages lists the current state of the package, and uses the following key to describe the state of the
package:

• i: Installed package

• c: Package not installed, but package configuration remains on system

• p: Purged from system

• v: Virtual package

• B: Broken package

• u: Unpacked files, but package not yet configured

• C: Half-configured - Configuration failed and requires fix

• H: Half-installed - Removal failed and requires fix

To exit Aptitude, simply press the q key and confirm you wish to exit. Many other functions are
available from the Aptitude menu by pressing the F10 key.

23

Package Management

5. Automatic Updates

The unattended-upgrades package can be used to automatically install updated packages, and can be
configured to update all packages or just install security updates. First, install the package by entering
the following in a terminal:

sudo apt-get install unattended-upgrades

To configure unattended-upgrades, edit /etc/apt/apt.conf.d/50unattended-upgrades and adjust
the following to fit your needs:

Unattended-Upgrade::Allowed-Origins {
"Ubuntu karmic-security";
// "Ubuntu karmic-updates";
};

Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist
a package, add it to the list:

Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};

The double “//” serve as comments, so whatever follows "//" will not be evaluated.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades.

5.1. Notifications

Configuring Unattended-Upgrade::Mail in /etc/apt/apt.conf.d/50unattended-upgrades will
enable unattended-upgrades to email an administrator detailing any packages that need upgrading or
have problems.

Another useful package is apticron. apticron will configure a cron job to email an administrator
information about any packages on the system that need updated as well as a summary of changes in
each package.

To install the apticron package, in a terminal enter:

sudo apt-get install apticron

Once the package is installed edit /etc/apticron/apticron.conf, to set the email address and other
options:

24

EMAIL="root@example.com"

Package Management

25

Package Management

6. Configuration

Configuration of the Advanced Packaging Tool (APT) system repositories is stored in the /etc/apt/
sources.list configuration file. An example of this file is referenced here, along with information on
adding or removing repository references from the file.

Here2 is a simple example of a typical /etc/apt/sources.list file.

You may edit the file to enable repositories or disable them. For example, to disable the requirement
of inserting the Ubuntu CD-ROM whenever package operations occur, simply comment out the
appropriate line for the CD-ROM, which appears at the top of the file:

# no more prompting for CD-ROM please
# deb cdrom:[Ubuntu 9.10_Karmic_Koala - Release i386 (20070419.1)]/ karmic main restricted

6.1. Extra Repositories

In addition to the officially supported package repositories available for Ubuntu, there exist additional
community-maintained repositories which add thousands more potential packages for installation.
Two of the most popular are the Universe and Multiverse repositories. These repositories are not
officially supported by Ubuntu, but because they are maintained by the community they generally
provide packages which are safe for use with your Ubuntu computer.

Packages in the Multiverse repository often have licensing issues that prevent them from
being distributed with a free operating system, and they may be illegal in your locality.

Be advised that neither the Universe or Multiverse repositories contain officially supported
packages. In particular, there may not be security updates for these packages.

Many other package sources are available, sometimes even offering only one package, as in the case
of package sources provided by the developer of a single application. You should always be very
careful and cautious when using non-standard package sources, however. Research the source and
packages carefully before performing any installation, as some package sources and their packages
could render your system unstable or non-functional in some respects.

By default, the Universe and Multiverse repositories are enabled but if you would like to disable them
edit /etc/apt/sources.list and comment the following lines:

deb http://archive.ubuntu.com/ubuntu karmic universe multiverse
deb-src http://archive.ubuntu.com/ubuntu karmic universe multiverse

deb http://us.archive.ubuntu.com/ubuntu/ karmic universe
deb-src http://us.archive.ubuntu.com/ubuntu/ karmic universe

2

../sample/sources.list

26

Package Management

deb http://us.archive.ubuntu.com/ubuntu/ karmic-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ karmic-updates universe

deb http://us.archive.ubuntu.com/ubuntu/ karmic multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ karmic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ karmic-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ karmic-updates multiverse

deb http://security.ubuntu.com/ubuntu karmic-security universe
deb-src http://security.ubuntu.com/ubuntu karmic-security universe
deb http://security.ubuntu.com/ubuntu karmic-security multiverse
deb-src http://security.ubuntu.com/ubuntu karmic-security multiverse

27

Package Management

7. References

Most of the material covered in this chapter is available in man pages, many of which are available
online.

• For more dpkg details see the dpkg man page3.

• The APT HOWTO4 and apt-get man page5 contain useful information regarding apt-get usage.

• See the aptitude man page6 for more aptitude options.

• The Adding Repositories HOWTO (Ubuntu Wiki)7 page contains more details on adding
repositories.

28

Chapter 4. Networking

Networks consist of two or more devices, such as computer systems, printers, and related equipment
which are connected by either physical cabling or wireless links for the purpose of sharing and
distributing information among the connected devices.

This section provides general and specific information pertaining to networking, including an
overview of network concepts and detailed discussion of popular network protocols.

29

Networking

1. Network Configuration

Ubuntu ships with a number of graphical utilities to configure your network devices. This document is
geared toward server administrators and will focus on managing your network on the command line.

1.1. Ethernet

Most Ethernet configuration is centralized in a single file, /etc/network/interfaces. If you have no
Ethernet devices, only the loopback interface will appear in this file, and it will look something like
this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

If you have only one Ethernet device, eth0, and it gets its configuration from a DHCP server, and it
should come up automatically at boot, only two additional lines are required:

auto eth0
iface eth0 inet dhcp

The first line specifies that the eth0 device should come up automatically when you boot. The second
line means that interface (“iface”) eth0 should have an IPv4 address space (replace “inet” with “inet6”
for an IPv6 device) and that it should get its configuration automatically from DHCP. Assuming your
network and DHCP server are properly configured, this machine's network should need no further
configuration to operate properly. The DHCP server will provide the default gateway (implemented
via the route command), the device's IP address (implemented via the ifconfig command), and DNS
servers used on the network (implemented in the /etc/resolv.conf file.)

To configure your Ethernet device with a static IP address and custom configuration, some more
information will be required. Suppose you want to assign the IP address 192.168.0.2 to the device
eth1, with the typical netmask of 255.255.255.0. Your default gateway's IP address is 192.168.0.1.
You would enter something like this into /etc/network/interfaces:

iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 192.168.0.1

In this case, you will need to specify your DNS servers manually in /etc/resolv.conf, which should
look something like this:

30

Networking

search mydomain.example
nameserver 192.168.0.1
nameserver 4.2.2.2

The search directive will append mydomain.example to hostname queries in an attempt to resolve
names to your network. For example, if your network's domain is mydomain.example and you
try to ping the host “mybox”, the DNS query will be modified to “mybox.mydomain.example”
for resolution. The nameserver directives specify DNS servers to be used to resolve hostnames to
IP addresses. If you use your own nameserver, enter it here. Otherwise, ask your Internet Service
Provider for the primary and secondary DNS servers to use, and enter them into /etc/resolv.conf as
shown above.

Many more configurations are possible, including dialup PPP interfaces, IPv6 networking, VPN
devices, etc. Refer to man 5 interfaces for more information and supported options. Remember that /

etc/network/interfaces is used by the ifup/ifdown scripts as a higher level configuration scheme

than may be used in some other Linux distributions, and that the traditional, lower level utilities such
as ifconfig, route, and dhclient are still available to you for ad hoc configurations.

1.2. Managing DNS Entries

This section explains how to configure which nameserver to use when resolving IP addresses to
hostnames and vice versa. It does not explain how to configure the system as a name server.

To manage DNS entries, you can add, edit, or remove DNS names from the /etc/resolv.conf file. A
sample file is given below:

search com
nameserver 204.11.126.131
nameserver 64.125.134.133
nameserver 64.125.134.132
nameserver 208.185.179.218

The search key specifies the string which will be appended to an incomplete hostname. Here, we have
configured it to com. So, when we run: ping ubuntu it would be interpreted as ping ubuntu.com.

The nameserver key specifies the nameserver IP address. It will be used to resolve a given IP address
or hostname. This file can have multiple nameserver entries. The nameservers will be used by the
network query in the same order.

If the DNS server names are retrieved dynamically from DHCP or PPPoE (retrieved from
your ISP), do not add nameserver entries in this file. It will be overwritten.

1.3. Managing Hosts

To manage hosts, you can add, edit, or remove hosts from /etc/hosts file. The file contains IP
addresses and their corresponding hostnames. When your system tries to resolve a hostname to an IP

31

Networking

address or determine the hostname for an IP address, it refers to the /etc/hosts file before using the
name servers. If the IP address is listed in the /etc/hosts file, the name servers are not used. This
behavior can be modified by editing /etc/nsswitch.conf at your peril.

If your network contains computers whose IP addresses are not listed in DNS, it is recommended that
you add them to the /etc/hosts file.

1.4. Bridging

Bridging multiple interfaces is a more advanced configuration, but is very useful in multiple
scenarios. One scenario is setting up a bridge with multiple network interfaces, then using a firewall
to filter traffic between two network segments. Another scenario is using bridge on a system with
one interface to allow virtual machines direct access to the outside network. The following example
covers the latter scenario.

Before configuring a bridge you will need to install the bridge-utils package. To install the package, in
a terminal enter:

sudo apt-get install bridge-utils

Next, configure the bridge by editing /etc/network/interfaces:

auto lo
iface lo inet loopback

auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

Enter the appropriate values for your physical interface and network.

Now restart networking to enable the bridge interface:

sudo /etc/init.d/networking restart

The new bridge interface should now be up and running. The brctl provides useful information about
the state of the bridge, controls which interfaces are part of the bridge, etc. See man brctl for more
information.

32

Networking

1.5. Resources

• The interfaces man page1 has details on more options for /etc/network/interfaces.

• For more information on DNS client configuration see the resolver man page2. Also, Chapter 6
of O'Reilly's Linux Network Administrator's Guide3 is a good source of resolver and name service
configuration information.

• For more information on bridging see the brctl man page4 and the Linux Foundation's Net:Bridge
page.

5

33

Networking

2. TCP/IP

The Transmission Control Protocol and Internet Protocol (TCP/IP) is a standard set of protocols
developed in the late 1970s by the Defense Advanced Research Projects Agency (DARPA) as a
means of communication between different types of computers and computer networks. TCP/IP is the
driving force of the Internet, and thus it is the most popular set of network protocols on Earth.

2.1. TCP/IP Introduction

The two protocol components of TCP/IP deal with different aspects of computer networking. Internet
Protocol, the "IP" of TCP/IP is a connectionless protocol which deals only with network packet
routing using the IP Datagram as the basic unit of networking information. The IP Datagram consists
of a header followed by a message. The Transmission Control Protocol is the "TCP" of TCP/IP and
enables network hosts to establish connections which may be used to exchange data streams. TCP
also guarantees that the data between connections is delivered and that it arrives at one network host
in the same order as sent from another network host.

2.2. TCP/IP Configuration

The TCP/IP protocol configuration consists of several elements which must be set by editing the
appropriate configuration files, or deploying solutions such as the Dynamic Host Configuration
Protocol (DHCP) server which in turn, can be configured to provide the proper TCP/IP configuration
settings to network clients automatically. These configuration values must be set correctly in order to
facilitate the proper network operation of your Ubuntu system.

The common configuration elements of TCP/IP and their purposes are as follows:

• IP address The IP address is a unique identifying string expressed as four decimal numbers
ranging from zero (0) to two-hundred and fifty-five (255), separated by periods, with each of the
four numbers representing eight (8) bits of the address for a total length of thirty-two (32) bits for
the whole address. This format is called dotted quad notation.

• Netmask The Subnet Mask (or simply, netmask) is a local bit mask, or set of flags which separate
the portions of an IP address significant to the network from the bits significant to the subnetwork.
For example, in a Class C network, the standard netmask is 255.255.255.0 which masks the first
three bytes of the IP address and allows the last byte of the IP address to remain available for
specifying hosts on the subnetwork.

• Network Address The Network Address represents the bytes comprising the network portion
of an IP address. For example, the host 12.128.1.2 in a Class A network would use 12.0.0.0 as
the network address, where twelve (12) represents the first byte of the IP address, (the network
part) and zeroes (0) in all of the remaining three bytes to represent the potential host values. A
network host using the private IP address 192.168.1.100 would in turn use a Network Address of

192.168.1.0, which specifies the first three bytes of the Class C 192.168.1 network and a zero (0)
for all the possible hosts on the network.

34

Networking

• Broadcast Address The Broadcast Address is an IP address which allows network data to be sent
simultaneously to all hosts on a given subnetwork rather than specifying a particular host. The
standard general broadcast address for IP networks is 255.255.255.255, but this broadcast address
cannot be used to send a broadcast message to every host on the Internet because routers block
it. A more appropriate broadcast address is set to match a specific subnetwork. For example, on
the private Class C IP network, 192.168.1.0, the broadcast address is 192.168.1.255. Broadcast
messages are typically produced by network protocols such as the Address Resolution Protocol
(ARP) and the Routing Information Protocol (RIP).

• Gateway Address A Gateway Address is the IP address through which a particular network,
or host on a network, may be reached. If one network host wishes to communicate with another
network host, and that host is not located on the same network, then a gateway must be used. In
many cases, the Gateway Address will be that of a router on the same network, which will in turn
pass traffic on to other networks or hosts, such as Internet hosts. The value of the Gateway Address
setting must be correct, or your system will not be able to reach any hosts beyond those on the same
network.

• Nameserver Address Nameserver Addresses represent the IP addresses of Domain Name Service
(DNS) systems, which resolve network hostnames into IP addresses. There are three levels of
Nameserver Addresses, which may be specified in order of precedence: The Primary Nameserver,
the Secondary Nameserver, and the Tertiary Nameserver. In order for your system to be able
to resolve network hostnames into their corresponding IP addresses, you must specify valid
Nameserver Addresses which you are authorized to use in your system's TCP/IP configuration. In
many cases these addresses can and will be provided by your network service provider, but many
free and publicly accessible nameservers are available for use, such as the Level3 (Verizon) servers
with IP addresses from 4.2.2.1 to 4.2.2.6.

The IP address, Netmask, Network Address, Broadcast Address, and Gateway
Address are typically specified via the appropriate directives in the file /etc/network/

interfaces. The Nameserver Addresses are typically specified via nameserver directives

in the file /etc/resolv.conf. For more information, view the system manual page
for interfaces or resolv.conf respectively, with the following commands typed at a
terminal prompt:

Access the system manual page for interfaces with the following command:

man interfaces

Access the system manual page for resolv.conf with the following command:

man resolv.conf

35

Networking

2.3. IP Routing

IP routing is a means of specifying and discovering paths in a TCP/IP network along which network
data may be sent. Routing uses a set of routing tables to direct the forwarding of network data packets
from their source to the destination, often via many intermediary network nodes known as routers.
There are two primary forms of IP routing: Static Routing and Dynamic Routing.

Static routing involves manually adding IP routes to the system's routing table, and this is usually
done by manipulating the routing table with the route command. Static routing enjoys many
advantages over dynamic routing, such as simplicity of implementation on smaller networks,
predictability (the routing table is always computed in advance, and thus the route is precisely the
same each time it is used), and low overhead on other routers and network links due to the lack of
a dynamic routing protocol. However, static routing does present some disadvantages as well. For
example, static routing is limited to small networks and does not scale well. Static routing also fails
completely to adapt to network outages and failures along the route due to the fixed nature of the
route.

Dynamic routing depends on large networks with multiple possible IP routes from a source to a
destination and makes use of special routing protocols, such as the Router Information Protocol
(RIP), which handle the automatic adjustments in routing tables that make dynamic routing possible.
Dynamic routing has several advantages over static routing, such as superior scalability and the ability
to adapt to failures and outages along network routes. Additionally, there is less manual configuration
of the routing tables, since routers learn from one another about their existence and available routes.
This trait also eliminates the possibility of introducing mistakes in the routing tables via human error.
Dynamic routing is not perfect, however, and presents disadvantages such as heightened complexity
and additional network overhead from router communications, which does not immediately benefit
the end users, but still consumes network bandwidth.

2.4. TCP and UDP

TCP is a connection-based protocol, offering error correction and guaranteed delivery of data via
what is known as flow control. Flow control determines when the flow of a data stream needs to be
stopped, and previously sent data packets should to be re-sent due to problems such as collisions,
for example, thus ensuring complete and accurate delivery of the data. TCP is typically used in the
exchange of important information such as database transactions.

The User Datagram Protocol (UDP), on the other hand, is a connectionless protocol which seldom
deals with the transmission of important data because it lacks flow control or any other method to
ensure reliable delivery of the data. UDP is commonly used in such applications as audio and video
streaming, where it is considerably faster than TCP due to the lack of error correction and flow
control, and where the loss of a few packets is not generally catastrophic.

36

Networking

2.5. ICMP

The Internet Control Messaging Protocol (ICMP) is an extension to the Internet Protocol (IP) as
defined in the Request For Comments (RFC) #792 and supports network packets containing control,
error, and informational messages. ICMP is used by such network applications as the ping utility,
which can determine the availability of a network host or device. Examples of some error messages
returned by ICMP which are useful to both network hosts and devices such as routers, include
Destination Unreachable and Time Exceeded.

2.6. Daemons

Daemons are special system applications which typically execute continuously in the background and
await requests for the functions they provide from other applications. Many daemons are network­centric; that is, a large number of daemons executing in the background on an Ubuntu system may
provide network-related functionality. Some examples of such network daemons include the Hyper

Text Transport Protocol Daemon (httpd), which provides web server functionality; the Secure SHell
Daemon (sshd), which provides secure remote login shell and file transfer capabilities; and the
Internet Message Access Protocol Daemon (imapd), which provides E-Mail services.

2.7. Resources

• There are man pages for TCP6 and IP7 that contain more useful information.

• Also, see the TCP/IP Tutorial and Technical Overview8 IBM Redbook.

• Another resource is O'Reilly's TCP/IP Network Administration9.

37

Networking

3. Dynamic Host Configuration Protocol (DHCP)

The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers
to be automatically assigned settings from a server as opposed to manually configuring each network
host. Computers configured to be DHCP clients have no control over the settings they receive from
the DHCP server, and the configuration is transparent to the computer's user.

The most common settings provided by a DHCP server to DHCP clients include:

• IP-Address and Netmask

• DNS

• WINS

However, a DHCP server can also supply configuration properties such as:

• Host Name

• Domain Name

• Default Gateway

• Time Server

• Print Server

The advantage of using DHCP is that changes to the network, for example a change in the address of
the DNS server, need only be changed at the DHCP server, and all network hosts will be reconfigured
the next time their DHCP clients poll the DHCP server. As an added advantage, it is also easier to
integrate new computers into the network, as there is no need to check for the availability of an IP
address. Conflicts in IP address allocation are also reduced.

A DHCP server can provide configuration settings using two methods:
MAC Address

This method entails using DHCP to identify the unique hardware address of each network card
connected to the network and then continually supplying a constant configuration each time the
DHCP client makes a request to the DHCP server using that network device.

Address Pool

This method entails defining a pool (sometimes also called a range or scope) of IP addresses from
which DHCP clients are supplied their configuration properties dynamically and on a "first come,
first served" basis. When a DHCP client is no longer on the network for a specified period, the
configuration is expired and released back to the address pool for use by other DHCP Clients.

Ubuntu is shipped with both DHCP server and client. The server is dhcpd (dynamic host
configuration protocol daemon). The client provided with Ubuntu is dhclient and should be installed
on all computers required to be automatically configured. Both programs are easy to install and
configure and will be automatically started at system boot.

3.1. Installation

At a terminal prompt, enter the following command to install dhcpd:

38

Networking

sudo apt-get install dhcp3-server

You will probably need to change the default configuration by editing /etc/dhcp3/dhcpd.conf to suit
your needs and particular configuration.

You also need to edit /etc/default/dhcp3-server to specify the interfaces dhcpd should listen to. By
default it listens to eth0.

NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics messages.

3.2. Configuration

The error message the installation ends with might be a little confusing, but the following steps will
help you configure the service:

Most commonly, what you want to do is assign an IP address randomly. This can be done with
settings as follows:

# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.example";

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
range 192.168.1.150 192.168.1.200;
}

This will result in the DHCP server giving a client an IP address from the range

192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address for 600

seconds if the client doesn't ask for a specific time frame. Otherwise the maximum (allowed) lease
will be 7200 seconds. The server will also "advise" the client that it should use 255.255.255.0 as
its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as the router/gateway and

192.168.1.1 and 192.168.1.2 as its DNS servers.

If you need to specify a WINS server for your Windows clients, you will need to include the netbios­name-servers option, e.g.

option netbios-name-servers 192.168.1.1;

Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can be found here10.

10

http://www.tldp.org/HOWTO/DHCP/index.html

39

Networking

3.3. References

• For more /etc/dhcp3/dchpd.conf options see the dhcpd.conf man page11.

• Also see the DHCP FAQ

12

40

Networking

4. Time Synchronisation with NTP

This page describes methods for keeping your computer's time accurate. This is useful for servers, but
is not necessary (or desirable) for desktop machines.

NTP is a TCP/IP protocol for synchronising time over a network. Basically a client requests the
current time from a server, and uses it to set its own clock.

Behind this simple description, there is a lot of complexity - there are tiers of NTP servers, with
the tier one NTP servers connected to atomic clocks (often via GPS), and tier two and three servers
spreading the load of actually handling requests across the Internet. Also the client software is a lot
more complex than you might think - it has to factor out communication delays, and adjust the time in
a way that does not upset all the other processes that run on the server. But luckily all that complexity
is hidden from you!

Ubuntu has two ways of automatically setting your time: ntpdate and ntpd.

4.1. ntpdate

Ubuntu comes with ntpdate as standard, and will run it once at boot time to set up your time according
to Ubuntu's NTP server. However, a server's clock is likely to drift considerably between reboots, so
it makes sense to correct the time occasionally. The easiest way to do this is to get cron to run ntpdate
every day. With your favorite editor, as root, create a file /etc/cron.daily/ntpdate containing:

ntpdate ntp.ubuntu.com

The file /etc/cron.daily/ntpdate must also be executable.

sudo chmod 755 /etc/cron.daily/ntpdate

4.2. ntpd

ntpdate is a bit of a blunt instrument - it can only adjust the time once a day, in one big correction.
The ntp daemon ntpd is far more subtle. It calculates the drift of your system clock and continuously
adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is
a little processing power and memory, but for a modern server this is negligible.

To set up ntpd:

sudo apt-get install ntp

4.3. Changing Time Servers

In both cases above, your system will use Ubuntu's NTP server at ntp.ubuntu.com by default. This is
OK, but you might want to use several servers to increase accuracy and resilience, and you may want
to use time servers that are geographically closer to you. to do this for ntpdate, change the contents of

/etc/cron.daily/ntpdate to:

41

Networking

ntpdate ntp.ubuntu.com pool.ntp.org

And for ntpd edit /etc/ntp.conf to include additional server lines:

server ntp.ubuntu.com
server pool.ntp.org

You may notice pool.ntp.org in the examples above. This is a really good idea which uses round­robin DNS to return an NTP server from a pool, spreading the load between several different servers.
Even better, they have pools for different regions - for instance, if you are in New Zealand, so you
could use nz.pool.ntp.org instead of pool.ntp.org . Look at http://www.pool.ntp.org/ for more
details.

You can also Google for NTP servers in your region, and add these to your configuration. To test that
a server works, just type sudo ntpdate ntp.server.name and see what happens.

4.4. Related Pages

• NTP Support

• The NTP FAQ and HOWTO

13

14

42

Chapter 5. Remote Administration

There are many ways to remotely administer a Linux server. This chapter will cover one of the most
popular SSH as well as eBox, a web based administration framework.

43

Remote Administration

1. OpenSSH Server

1.1. Introduction

This section of the Ubuntu Server Guide introduces a powerful collection of tools for the remote
control of networked computers and transfer of data between networked computers, called OpenSSH.
You will also learn about some of the configuration settings possible with the OpenSSH server
application and how to change them on your Ubuntu system.

OpenSSH is a freely available version of the Secure Shell (SSH) protocol family of tools for remotely
controlling a computer or transferring files between computers. Traditional tools used to accomplish
these functions, such as telnet or rcp, are insecure and transmit the user's password in cleartext when
used. OpenSSH provides a server daemon and client tools to facilitate secure, encrypted remote
control and file transfer operations, effectively replacing the legacy tools.

The OpenSSH server component, sshd, listens continuously for client connections from any of the
client tools. When a connection request occurs, sshd sets up the correct connection depending on the
type of client tool connecting. For example, if the remote computer is connecting with the ssh client
application, the OpenSSH server sets up a remote control session after authentication. If a remote user
connects to an OpenSSH server with scp, the OpenSSH server daemon initiates a secure copy of files
between the server and client after authentication. OpenSSH can use many authentication methods,
including plain password, public key, and Kerberos tickets.

1.2. Installation

Installation of the OpenSSH client and server applications is simple. To install the OpenSSH client
applications on your Ubuntu system, use this command at a terminal prompt:

sudo apt-get install openssh-client

To install the OpenSSH server application, and related support files, use this command at a terminal
prompt:

sudo apt-get install openssh-server

The openssh-server package can also be selected to install during the Server Edition installation
process.

1.3. Configuration

You may configure the default behavior of the OpenSSH server application, sshd, by editing the file

/etc/ssh/sshd_config. For information about the configuration directives used in this file, you may

view the appropriate manual page with the following command, issued at a terminal prompt:

man sshd_config

44

Remote Administration

There are many directives in the sshd configuration file controlling such things as communication
settings and authentication modes. The following are examples of configuration directives that can be
changed by editing the /etc/ssh/sshd_config file.

Prior to editing the configuration file, you should make a copy of the original file and protect
it from writing so you will have the original settings as a reference and to reuse as necessary.

Copy the /etc/ssh/sshd_config file and protect it from writing with the following
commands, issued at a terminal prompt:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

The following are examples of configuration directives you may change:

• To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22, change the
Port directive as such:

Port 2222

• To have sshd allow public key-based login credentials, simply add or modify the line:

PubkeyAuthentication yes

In the /etc/ssh/sshd_config file, or if already present, ensure the line is not commented out.

• To make your OpenSSH server display the contents of the /etc/issue.net file as a pre-login
banner, simply add or modify the line:

Banner /etc/issue.net

In the /etc/ssh/sshd_config file.

After making changes to the /etc/ssh/sshd_config file, save the file, and restart the sshd server
application to effect the changes using the following command at a terminal prompt:

sudo /etc/init.d/ssh restart

Many other configuration directives for sshd are available for changing the server
application's behavior to fit your needs. Be advised, however, if your only method of
access to a server is ssh, and you make a mistake in configuring sshd via the /etc/ssh/

sshd_config file, you may find you are locked out of the server upon restarting it, or that

the sshd server refuses to start due to an incorrect configuration directive, so be extra careful
when editing this file on a remote server.

1.4. SSH Keys

SSH keys allow authentication between two hosts without the need of a password. SSH key
authentication uses two keys a private key and a public key.

45

Remote Administration

To generate the keys, from a terminal prompt enter:

ssh-keygen -t dsa

This will generate the keys using a DSA authentication identity of the user. During the process you
will be prompted for a password. Simply hit Enter when prompted to create the key.

By default the public key is saved in the file ~/.ssh/id_dsa.pub, while ~/.ssh/id_dsa is the private
key. Now copy the id_dsa.pub file to the remote host and append it to ~/.ssh/authorized_keys by
entering:

ssh-copy-id username@remotehost

Finally, double check the permissions on the authorized_keys file, only the authenticated user
should have read and write permissions. If the permissions are not correct change them by:

chmod 644 .ssh/authorized_keys

You should now be able to SSH to the host without being prompted for a password.

1.5. References

OpenSSH Website

Advanced OpenSSH Wiki Page

1

2

1

http://www.openssh.org/

2

https://wiki.ubuntu.com/AdvancedOpenSSH

46

Remote Administration

2. eBox

eBox is a web framework used to manage server application configuration. The modular design of
eBox allows you to pick and choose which services you want to configure using eBox.

2.1. Installation

The different eBox modules are split into different packages, allowing you to only install those
necessary. One way to view the available packages is to enter the following from a terminal:

apt-cache rdepends ebox | uniq

To install the ebox package, which contains the default modules, enter the following:

sudo apt-get install ebox

During the installation you will be asked to supply a password for the ebox user. After installing eBox
the web interface can be accessed from: https://yourserver/ebox.

2.2. Configuration

An important thing to remember when using eBox is that when configuring most modules there is a
Change button that implements the new configuration. After clicking the Change button most, but not
all, modules will then need to be Saved. To save the new configuration click on the “Save changes”
link in the top right hand corner.

Once you make a change that requires a Save, the link will change from green to red.

2.3. eBox Modules

By default all eBox Modules are not enabled, and when a new module is installed it will not be
automatically enabled.

To enable a disabled module click on the Module status link in the left hand menu. Then check which
modules you would like to enable and click the “Save” link.

2.3.1. Default Modules

This section provides a quick summary of the default eBox modules.

• System: contains options allowing configuration of general eBox items.

• General: allows you to set the language, port number, and contains a change password form.

• Disk Usage: displays a graph detailing information about disk usage.

• Backup: is used to backup eBox configuration information, and the Full Backup option allows

you to save all eBox information not included in the Configuration option such as log files.

47

Remote Administration

• Halt/Reboot: will shutdown the system or reboot it.

• Bug Report: creates a file containing details helpful when reporting bugs to the eBox developers.

• Logs: allows eBox logs to be queried depending on the purge time configured.

• Events: this module has the ability to send alerts through rss, jabber, and log file.

• Available Events:

• Free Storage Space: will send alert if free disk space drops below a configured percentage,
10% by default.

• Log Observer: unfortunately this event does not work with the eBox version shipped with
Ubuntu 7.10.

• RAID: will monitor the RAID system and send alerts if any issues arise.

• Service: sends alerts if a service restarts multiple times in a short time period.

• State: alerts on the state of eBox, either up or down.

• Dispatchers:

• Log: this dispatcher will send event messages to the eBox log file /var/log/ebox/ebox.log.

• Jabber: before enabling this dispatcher you must first configure it by clicking on the
“Configure” icon.

• RSS: once this dispatcher is configured you can subscribe to the link in order to view event
alerts.

2.4. Additional Modules

Here is a quick description of other available eBox modules:

• Network: allows configuration of the server's network options through eBox.

• Firewall: configures firewall options for the eBox host.

• UsersandGroups: this module will manage users and groups contained in an OpenLDAP LDAP
directory.

• DHCP: provides an interface for configuring a DHCP server.

• DNS: provides BIND9 DNS server configuration options.

• Objects: allow configuration of eBox Network Objects, which allow you to assign a name to an IP
address or group of IPs.

• Services: displays configuration information for services that are available to the network.

• Squid: configuration options for the Squid proxy server.

• CA: configures a Certificate Authority for the server.

• NTP: set Network Time Protocol options.

• Printers: allows the configuration of printers.

• Samba: configuration options for Samba.

• OpenVPN: setup options for OpenVPN Virtual Private Network application.

48

Remote Administration

2.5. Resources

• For more information see the eBox Home Page3.

49

Chapter 6. Network Authentication

This section explains various Network Authentication protocols.

50

Network Authentication

1. OpenLDAP Server

LDAP is an acronym for Lightweight Directory Access Protocol, it is a simplified version of the
X.500 protocol. The directory setup in this section will be used for authentication. Nevertheless,
LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address
book, etc.

To describe LDAP quickly, all information is stored in a tree structure. With OpenLDAP you have
freedom to determine the directory arborescence (the Directory Information Tree: the DIT) yourself.
We will begin with a basic tree containing two nodes below the root:

• "People" node where your users will be stored

• "Groups" node where your groups will be stored

Before beginning, you should determine what the root of your LDAP directory will be. By default,
your tree will be determined by your Fully Qualified Domain Name (FQDN). If your domain is
example.com (which we will use in this example), your root node will be dc=example,dc=com.

1.1. Installation

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP
management utilities:

sudo apt-get install slapd ldap-utils

The installation process will prompt you for the LDAP directory admin password and confirmation.

By default the directory suffix will match the domain name of the server. For example, if the
machine's Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be
dc=example,dc=com. If you require a different suffix, the directory can be reconfigured using dpkg­reconfigure. Enter the following in a terminal prompt:

sudo dpkg-reconfigure slapd

You will then be taken through a menu based configuration dialog, allowing you to configure various
slapd options.

1.2. Configuration

OpenLDAP uses a separate database which contains the cn=config Directory Information Tree (DIT).
The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of
schema definitions, indexes, ACLs, etc without stopping the service.

The cn=config tree can be manipulated using the utilities in the ldap-utils package. For example:

• Use ldapsearch to view the tree, entering the admin password set during installation or
reconfiguration:

51

Network Authentication

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb

Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exampl
e,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq

The output above is the current configuration options for the hdb backend database. Which in this
case containes the dc=example,dc=com suffix.

• Refine the search by supplying a filter, in this case only show which attributes are indexed:

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb olcDbIndex

Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq

• As an example of modifying the cn=config tree, add another attribute to the index list using
ldapmodify:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

add: olcDbIndex

olcDbIndex: entryUUID eq

modifying entry "olcDatabase={1}hdb,cn=config"

Once the modification has completed, press Ctrl+D to exit the utility.

52

Network Authentication

• ldapmodify can also read the changes from a file. Copy and paste the following into a file named

uid_index.ldif:

dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub

Then execute ldapmodify:

ldapmodify -x -D cn=admin,cn=config -W -f uid_index.ldif

Enter LDAP Password:
modifying entry "olcDatabase={1}hdb,cn=config"

The file method is very useful for large changes.

• Adding additional schemas to slapd requires the schema to be converted to LDIF format.
Fortunately, the slapd program can be used to automate the conversion. The following example will
add the misc.schema:

1. First, create a conversion schema_convert.conf file containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema

2. Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

3. Now using slapcat convert the schema files to LDIF:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={8}misc,cn=schema,cn=config" > /tmp/cn=misc.ldif

Adjust the configuration file name and temporary directory names if yours are different. Also,
it may be worthwhile to keep the ldif_output directory around in case you want to add
additional schemas in the future.

4. Edit the /tmp/cn\=misc.ldif file, changing the following attributes:

53

Network Authentication

dn: cn=misc,cn=schema,cn=config
...
cn: misc

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
creatorsName: cn=config
createTimestamp: 20080826021140Z
entryCSN: 20080826021140.791425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080826021140Z

The attribute values will vary, just be sure the attributes are removed.

5. Finally, using the ldapadd utility, add the new schema to the directory:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=misc.ldif

There should now be a dn: cn={4}misc,cn=schema,cn=config entry in the cn=config tree.

1.3. Populating LDAP

The directory has been created during installation and reconfiguration, and now it is time to
populate it. It will be populated with a "classical" scheme that will be compatible with address book
applications and with Unix Posix accounts. Posix accounts will allow authentication to various
applications, such as web applications, email Mail Transfer Agent (MTA) applications, etc.

For external applications to authenticate using LDAP they will each need to be specifically
configured to do so. Refer to the individual application documentation for details.

LDAP directories can be populated with LDIF (LDAP Directory Interchange Format) files. Copy the
following example LDIF file, naming it example.com.ldif, somewhere on your system:

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount

54

objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe@example.com
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
postalAddress:
initials: JD

Network Authentication

dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: example
gidNumber: 10000

In this example the directory structure, a user, and a group have been setup. In other examples you
might see the objectClass: top added in every entry, but that is the default behaviour so you do not
have to add it explicitly.

To add the entries to the LDAP directory use the ldapadd utility:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f example.com.ldif

We can check that the content has been correctly added with the tools from the ldap-utils package. In
order to execute a search of the LDAP directory:

ldapsearch -xLLL -b "dc=example,dc=com" uid=john sn givenName cn

dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
sn: Doe
givenName: John

55

Network Authentication

Just a quick explanation:

• -x: will not use SASL authentication method, which is the default.

• -LLL: disable printing LDIF schema information.

1.4. LDAP replication

LDAP often quickly becomes a highly critical service to the network. Multiple systems will come
to depend on LDAP for authentication, authorization, configuration, etc. It is a good idea to setup a
redundant system through replication.

Replication is achieved using the Syncrepl engine. Syncrepl allows the directory to be synced using
either a push or pull based system. In a push based configuration a “primary” server will push
directory updates to “secondary” servers, while a pull based approach allows replication servers to
sync on a time based interval.

The following is an example of a Multi-Master configuration. In this configuration each OpenLDAP
server is configured for both push and pull replication.

1. First, configure the server to sync the cn=config database. Copy the following to a file named

syncrepl_cn-config.ldif:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov

dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://ldap01.example.com
olcServerID: 2 ldap://ldap02.example.com

dn: olcOverlay=syncprov,olcDatabase={0}config,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1
olcSyncRepl: rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn=config" bindmethod=simple
credentials=secret searchbase="cn=config" type=refreshAndPersist
retry="5 5 300 5" timeout=1

-

56

Network Authentication

add: olcMirrorMode
olcMirrorMode: TRUE

2. Edit the file changing:

• ldap://ldap01.example.com and ldap://ldap02.example.com to the hostnames of your LDAP
servers.

You can have more than two LDAP servers, and when a change is made to one of
them it will by synced to the rest. Be sure to increment the olcServerID for each
server, and the rid for each olcSyncRepl entry.

• And adjust credentials=secret to match your admin password.

3. Next, add the LDIF file using the ldapmodify utility:

ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_cn-config.ldif

4. Copy the syncrepl_cn-config.ldif file to the next LDAP server and repeat the ldapmodify
command above.

5. Because a new module has been added, the slapd daemon, on all replicated servers, needs to be
restarted:

sudo /etc/init.d/slapd restart

6. Now that the configuration database is synced between servers, the backend database
needs to be synced as well. Copy and paste the following into another LDIF file named

syncrepl_backend.ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,dc=example,dc=com

­add: olcSyncRepl
olcSyncRepl: rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=com"
bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1
olcSyncRepl: rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=com"
bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=refreshOnly
interval=00:00:00:10 retry="5 5 300 5" timeout=1

­add: olcMirrorMode
olcMirrorMode: TRUE

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

7. Like the previous LDIF file, edit this one changing:

57

Network Authentication

• searchbase="dc=example,dc=com" to your directory's searchbase.

• If you use a different admin user, change binddn="cn=admin,dc=example,dc=com".

• Also, replace credentials=secret with your admin password.

8. Add the LDIF file:

ldapmodify -x -D cn=admin,cn=config -W -f syncrepl_backend.ldif

Because the servers' configuration is already synced there is no need to copy this LDIF file to the
other servers.

The configuration and backend databases should now sycnc to the other servers. You can add
additional servers using the ldapmodify utility as the need arises. See Section 1.2, “Configuration” [p.
51] for details.

The slapd daemon will send log information to /var/log/syslog by default. So if all does
not go well check there for errors and other troubleshooting information. Also, be sure that
each server knows it's Fully Qualified Domain Name (FQDN). This is configured in /etc/

hosts with a line similar to:

127.0.0.1 ldap01.example.com ldap01

.

1.5. Setting up ACL

Authentication requires access to the password field, that should be not accessible by default. Also,
in order for users to change their own password, using passwd or other utilities, shadowLastChange
needs to be accessible once a user has authenticated.

To view the Access Control List (ACL), use the ldapsearch utility:

ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb olcAccess

Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=exampl
e,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read

1.6. TLS and SSL

When authenticating to an OpenLDAP server it is best to do so using an encrypted session. This can
be accomplished using Transport Layer Security (TLS) and/or Secure Sockets Layer (SSL).

58

Network Authentication

The first step in the process is to obtain or create a certificate. See Section 5, “Certificates” [p.
115] and Section 5.5, “Certification Authority” [p. 117] for details.

Once you have a certificate, key, and CA cert installed, use ldapmodify to add the new configuration
options:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: cn=config

add: olcTLSCACertificateFile

olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem

-

add: olcTLSCertificateFile

olcTLSCertificateFile: /etc/ssl/certs/server.crt

-

add: olcTLSCertificateKeyFile

olcTLSCertificateKeyFile: /etc/ssl/private/server.key

modifying entry "cn=config"

Adjust the server.crt, server.key, and cacert.pem names if yours are different. If you
have a self-signed certificate, do NOT add the olcTLSCACertificateFile property, as it will
cause GnuTLS to fail..

Next, edit /etc/default/slapd uncomment the SLAPD_SERVICES option:

SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"

Now the openldap user needs access to the certificate:

sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/server.key
sudo chmod g+r /etc/ssl/private/server.key

If the /etc/ssl/private and /etc/ssl/private/server.key have different permissions,
adjust the commands appropriately.

Finally, restart slapd:

sudo /etc/init.d/slapd restart

The slapd daemon should now be listening for LDAPS connections and be able to use STARTTLS
during authentication.

If you run into troubles with the server not starting, check the /var/log/syslog. If you see
errors like main: TLS init def ctx failed: -1, it is likely there is a configuration problem.

59

Network Authentication

Check that the certificate is signed by the authority from in the files configured, and that the
ssl-cert group has read permissions on the private key.

1.6.1. TLS Replication

If you have setup Syncrepl between servers, it is prudent to encrypt the replication traffic using

Transport Layer Security (TLS). For details on setting up replication see Section 1.4, “LDAP
replication” [p. 56].

After setting up replication, and following the instructions in Section 1.6, “TLS and SSL” [p. 58],
there are a couple of consequences that should be kept in mind:

• The configuration only needs to be modified on one server.

• The path names for the certificate and key must be the same on all servers.

So on each replicated server: install a certificate, edit /etc/default/slapd, and restart slapd.

Once TLS has been setup on each server, modify the cn=config replication by entering the following
in a terminal:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={0}config,cn=config

replace: olcSyncrepl

olcSyncrepl: {0}rid=001 provider=ldap://ldap01.example.com binddn="cn=admin,cn

=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre

shAndPersist retry="5 5 300 5" timeout=1 starttls=yes

olcSyncrepl: {1}rid=002 provider=ldap://ldap02.example.com binddn="cn=admin,cn

=config" bindmethod=simple credentials=secret searchbase="cn=config" type=refre

shAndPersist retry="5 5 300 5" timeout=1 starttls=yes

modifying entry "olcDatabase={0}config,cn=config"

Now adjust the backend database replication:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

replace: olcSyncrepl

olcSyncrepl: {0}rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=

com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r

efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes

olcSyncrepl: {1}rid=004 provider=ldap://ldap02.example.com binddn="cn=admin,dc=example,dc=

com" bindmethod=simple credentials=secret searchbase="dc=example,dc=com" type=r

efreshOnly interval=00:00:00:10 retry="5 5 300 5" timeout=1 starttls=yes

60

Network Authentication

modifying entry "olcDatabase={1}hdb,cn=config"

If the LDAP server hostname does not match the Fully Qualified Domain Name (FQDN) in the
certificate, you may have to edit /etc/ldap/ldap.conf and add the following TLS options:

TLS_CERT /etc/ssl/certs/server.crt
TLS_KEY /etc/ssl/private/server.key
TLS_CACERT /etc/ssl/certs/cacert.pem

Finally, restart slapd on each of the servers:

sudo /etc/init.d/slapd restart

1.7. LDAP Authentication

Once you have a working LDAP server, the auth-client-config and libnss-ldap packages take the
pain out of configuring an Ubuntu client to authenticate using LDAP. To install the packages from, a
terminal prompt enter:

sudo apt-get install libnss-ldap

During the install a menu dialog will ask you connection details about your LDAP server.

If you make a mistake when entering your information you can execute the dialog again using:

sudo dpkg-reconfigure ldap-auth-config

The results of the dialog can be seen in /etc/ldap.conf. If your server requires options not covered
in the menu edit this file accordingly.

Now that libnss-ldap is configured enable the auth-client-config LDAP profile by entering:

sudo auth-client-config -t nss -p lac_ldap

• -t: only modifies /etc/nsswitch.conf.

• -p: name of the profile to enable, disable, etc.

• lac_ldap: the auth-client-config profile that is part of the ldap-auth-config package.

Using the pam-auth-update utility, configure the system to use LDAP for authentication:

sudo pam-auth-update

From the pam-auth-update menu, choose LDAP and any other authentication mechanisms you need.

You should now be able to login using user credentials stored in the LDAP directory.

61

Network Authentication

If you are going to use LDAP to store Samba users you will need to configure the server to
authenticate using LDAP. See Section 2, “Samba and LDAP” [p. 65] for details.

1.8. User and Group Management

The ldap-utils package comes with multiple utilities to manage the directory, but the long string of
options needed, can make them a burden to use. The ldapscripts package contains configurable scripts
to easily manage LDAP users and groups.

To install the package, from a terminal enter:

sudo apt-get install ldapscripts

Next, edit the config file /etc/ldapscripts/ldapscripts.conf uncommenting and changing the
following to match your environment:

SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000

Now, create the ldapscripts.passwd file to allow authenticated access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

Replace “secret” with the actual password for your LDAP admin user.

The ldapscripts are now ready to help manage your directory. The following are some examples of
how to use the scripts:

• Create a new user:

sudo ldapadduser george example

This will create a user with uid george and set the user's primary group (gid) to example

• Change a user's password:

sudo ldapsetpasswd george

Changing password for user uid=george,ou=People,dc=example,dc=com

62

New Password:
New Password (verify):

• Delete a user:

sudo ldapdeleteuser george

• Add a group:

sudo ldapaddgroup qa

• Delete a group:

sudo ldapdeletegroup qa

• Add a user to a group:

sudo ldapaddusertogroup george qa

Network Authentication

You should now see a memberUid attribute for the qa group with a value of george.

• Remove a user from a group:

sudo ldapdeleteuserfromgroup george qa

The memberUid attribute should now be removed from the qa group.

• The ldapmodifyuser script allows you to add, remove, or replace a user's attributes. The script uses

the same syntax as the ldapmodify utility. For example:

sudo ldapmodifyuser george

# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: george
uid: george
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=

# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com

replace: gecos
gecos: George Carlin

The user's gecos should now be “George Carlin”.

63

Network Authentication

• Another great feature of ldapscripts, is the template system. Templates allow you to customize the

attributes of user, group, and machine objectes. For example, to enable the user template edit /etc/

ldapscripts/ldapscripts.conf changing:

UTEMPLATE="/etc/ldapscripts/ldapadduser.template"

There are sample templates in the /etc/ldapscripts directory. Copy or rename the

ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:

sudo cp /etc/ldapscripts/ldapadduser.template.sample /etc/ldapscripts/ldapadduser.template

Edit the new template to add the desired attributes. The following will create new user's as with an
objectClass of inetOrgPerson:

dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee

Notice the <ask> option used for the cn value. Using <ask> will configure ldapadduser to prompt
you for the attribute value during user creation.

There are more useful scripts in the package, to see a full list enter: dpkg -L ldapscripts | grep bin

1.9. Resources

• For more information see OpenLDAP Home Page

• Though starting to show it's age, a great source for in depth LDAP information is O'Reilly's LDAP

System Administration

2

• Packt's Mastering OpenLDAP3 is a great reference covering newer versions of OpenLDAP.

• For more information on auth-client-config see the man page: man auth-client-config.

• For more details regarding the ldapscripts package see the man pages: man ldapscripts, man

ldapadduser, man ldapaddgroup, etc.

1

64

Network Authentication

2. Samba and LDAP

This section covers configuring Samba to use LDAP for user, group, and machine account
information and authentication. The assumption is, you already have a working OpenLDAP directory
installed and the server is configured to use it for authentication. See Section 1, “OpenLDAP
Server” [p. 51] and Section 1.7, “LDAP Authentication” [p. 61] for details on setting up OpenLDAP.
For more information on installing and configuring Samba see Chapter 17, Windows Networking [p.
212].

2.1. Installation

There are three packages needed when integrating Samba with LDAP. samba, samba-doc, and
smbldap-tools packages . To install the packages, from a terminal enter:

sudo apt-get install samba samba-doc smbldap-tools

Strictly speaking the smbldap-tools package isn't needed, but unless you have another package or
custom scripts, a method of managing users, groups, and computer accounts is needed.

2.2. OpenLDAP Configuration

In order for Samba to use OpenLDAP as a passdb backend, the user objects in the directory will
need additional attributes. This section assumes you want Samba to be configured as a Windows NT
domain controller, and will add the necessary LDAP objects and attributes.

• The Samba attributes are defined in the samba.schema file which is part of the samba-doc package.

The schema file needs to be unzipped and copied to /etc/ldap/schema. From a terminal prompt
enter:

sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema/
sudo gzip -d /etc/ldap/schema/samba.schema.gz

• The samba schema needs to be added to the cn=config tree. The procedure to add a new schema to

slapd is also detailed in Section 1.2, “Configuration” [p. 51].

1. First, create a configuration file named schema_convert.conf, or a similar descriptive name,
containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema

65

Network Authentication

include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/samba.schema

2. Next, create a temporary directory to hold the output:

mkdir /tmp/ldif_output

3. Now use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}samba,cn=schema,cn=config" > /tmp/cn=samba.ldif

Change the above file and path names to match your own if they are different.

4. Edit the generated /tmp/cn\=samba.ldif file, changing the following attributes:

dn: cn=samba,cn=schema,cn=config
...
cn: samba

And remove the following lines from the bottom of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config
createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z

The attribute values will vary, just be sure the attributes are removed.

5. Finally, using the ldapadd utility, add the new schema to the directory:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=samba.ldif

There should now be a dn: cn={X}misc,cn=schema,cn=config, where "X" is the next sequential
schema, entry in the cn=config tree.

• Copy and paste the following into a file named samba_indexes.ldif:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq

66

Network Authentication

olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

Using the ldapmodify utility load the new indexes:

ldapmodify -x -D cn=admin,cn=config -W -f samba_indexes.ldif

If all went well you should see the new indexes using ldapsearch:

ldapsearch -xLLL -D cn=admin,cn=config -x -b cn=config -W olcDatabase={1}hdb

• Next, configure the smbldap-tools package to match your environment. The package comes with a
configuration script that will ask questions about the needed options. To run the script enter:

sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
sudo perl /usr/share/doc/smbldap-tools/configure.pl

Once you have answered the questions, there should be /etc/smbldap-tools/smbldap.conf and /

etc/smbldap-tools/smbldap_bind.conf files. These files are generated by the configure script, so

if you made any mistakes while executing the script it may be simpler to edit the file appropriately.

• The smbldap-populate script will add the necessary users, groups, and LDAP objects required for
Samba. It is a good idea to make a backup LDAP Data Interchange Format (LDIF) file with slapcat
before executing the command:

sudo slapcat -l backup.ldif

• Once you have a current backup execute smbldap-populate by entering:

sudo smbldap-populate

You can create an LDIF file containing the new Samba objects by executing sudo
smbldap-populate -e samba.ldif. This allows you to look over the changes making sure

everything is correct.

Your LDAP directory now has the necessary domain information to authenticate Samba users.

2.3. Samba Configuration

There a multiple ways to configure Samba for details on some common configurations see
Chapter 17, Windows Networking [p. 212]. To configure Samba to use LDAP, edit the main Samba

67

Network Authentication

configuration file /etc/samba/smb.conf commenting the passdb backend option and adding the
following:

# passdb backend = tdbsam

# LDAP Settings
passdb backend = ldapsam:ldap://hostname
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=example,dc=com
ldap ssl = start tls
ldap passwd sync = yes
...
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

Restart samba to enable the new settings:

sudo /etc/init.d/samba restart

Now Samba needs to know the LDAP admin password. From a terminal prompt enter:

sudo smbpasswd -w secret

Replacing secret with your LDAP admin password.

If you currently have users in LDAP, and you want them to authenticate using Samba, they will need
some Samba attributes defined in the samba.schema file. Add the Samba attributes to existing users
using the smbpasswd utility, replacing username with an actual user:

sudo smbpasswd -a username

You will then be asked to enter the user's password.

To add new user, group, and machine accounts use the utilities from the smbldap-tools package. Here
are some examples:

• To add a new user to LDAP with Samba attributes enter the following, replacing username with an
actual username:

sudo smbldap-useradd -a -P username

The -a option adds the Samba attributes, and the -P options calls the smbldap-passwd utility after
the user is created allowing you to enter a password for the user.

68

Network Authentication

• To remove a user from the directory enter:

sudo smbldap-userdel username

The smbldap-userdel utility also has a -r option to remove the user's home directory.

• Use smbldap-groupadd to add a group, replacing groupname with an appropriate group:

sudo smbldap-groupadd -a groupname

Similar to smbldap-useradd, the -a adds the Samba attributes.

• To add a user to a group use smbldap-groupmod:

sudo smbldap-groupmod -m username groupname

Be sure to replace username with a real user. Also, the -m option can add more than one user at a
time by listing them in comma separated format.

• smbldap-groupmod can also be used to remove a user from a group:

sudo smbldap-groupmod -x username groupname

• Additionally, the smbldap-useradd utility can add Samba machine accounts:

sudo smbldap-useradd -t 0 -w username

Replace username with the name of the workstation. The -t 0 option creates the machine account
without a delay, while the -w option specifies the user as a machine account. Also, note the add
machine script option in /etc/samba/smb.conf was changed to use smbldap-useradd.

There are more useful utilities and options in the smbldap-tools package. The man page for each
utility provides more details.

2.4. Resources

• There are multiple places where LDAP and Samba is documented in the Samba HOWTO

Collection4.

• Specifically see the passdb section5.

• Another good site is Samba OpenLDAP HOWTO6.

• Again, for more information on smbldap-tools see the man pages: man smbldap-useradd, man
smbldap-groupadd, man smbldap-populate, etc.

69

Network Authentication

3. Kerberos

Kerberos is a network authentication system based on the principal of a trusted third party. The other
two parties being the user and the service the user wishes to authenticate to. Not all services and
applications can use Kerberos, but for those that can, it brings the network environment one step
closer to being Single Sign On (SSO).

This section covers installation and configuration of a Kerberos server, and some example client
configurations.

3.1. Overview

If you are new to Kerberos there are a few terms that are good to understand before setting up
a Kerberos server. Most of the terms will relate to things you may be familiar with in other
environments:

• Principal: any users, computers, and services provided by servers need to be defined as Kerberos
Principals.

• Instances: are used for service principals and special administrative principals.

• Realms: the unique realm of control provided by the Kerberos installation. Usually the DNS
domain converted to uppercase (EXAMPLE.COM).

• Key Distribution Center: (KDC) consist of three parts, a database of all principals, the
authentication server, and the ticket granting server. For each realm there must be at least one KDC.

• Ticket Granting Ticket: issued by the Authentication Server (AS), the Ticket Granting Ticket
(TGT) is encrypted in the user's password which is known only to the user and the KDC.

• Ticket Granting Server: (TGS) issues service tickets to clients upon request.

• Tickets: confirm the identity of the two principals. One principal being a user and the other a
service requested by the user. Tickets establish an encryption key used for secure communication
during the authenticated session.

• Keytab Files: are files extracted from the KDC principal database and contain the encryption key
for a service or host.

To put the pieces together, a Realm has at least one KDC, preferably two for redundancy, which
contains a database of Principals. When a user principal logs into a workstation, configured for
Kerberos authentication, the KDC issues a Ticket Granting Ticket (TGT). If the user supplied
credentials match, the user is authenticated and can then request tickets for Kerberized services from
the Ticket Granting Server (TGS). The service tickets allow the user to authenticate to the service
without entering another username and password.

70

Network Authentication

3.2. Kerberos Server

3.2.1. Installation

Before installing the Kerberos server a properly configured DNS server is needed for your
domain. Since the Kerberos Realm by convention matches the domain name, this section uses the
example.com domain configured in Section 2.3, “Primary Master” [p. 86].

Also, Kerberos is a time sensitive protocol. So if the local system time between a client machine
and the server differs by more than five minutes (by default), the workstation will not be able to
authenticate. To correct the problem all hosts should have their time synchronized using the Network

Time Protocol (NTP). For details on setting up NTP see Section 4, “Time Synchronisation with
NTP” [p. 41].

The first step in installing a Kerberos Realm is to install the krb5-kdc and krb5-admin-server
packages. From a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server

You will be asked at the end of the install to supply a name for the Kerberos and Admin servers,
which may or may not be the same server, for the realm.

Next, create the new realm with the kdb5_newrealm utility:

sudo krb5_newrealm

3.2.2. Configuration

The questions asked during installation are used to configure the /etc/krb5.conf file. If you need
to adjust the Key Distribution Center (KDC) settings simply edit the file and restart the krb5-kdc
daemon.

1. Now that the KDC running an admin user is needed. It is recommended to use a different

username from your everyday username. Using the kadmin.local utility in a terminal prompt
enter:

sudo kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit

71

Network Authentication

In the above example steve is the Principal, /admin is an Instance, and @EXAMPLE.COM
signifies the realm. The "every day" Principal would be steve@EXAMPLE.COM, and should
have only normal user rights.

Replace EXAMPLE.COM and steve with your Realm and admin username.

2. Next, the new admin user needs to have the appropriate Access Control List (ACL) permissions.

The permissions are configured in the /etc/krb5kdc/kadm5.acl file:

steve/admin@EXAMPLE.COM *

This entry grants steve/admin the ability to perform any operation on all principals in the realm.

3. Now restart the krb5-admin-server for the new ACL to take affect:

sudo /etc/init.d/krb5-admin-server restart

4. The new user principal can be tested using the kinit utility:

kinit steve/admin

steve/admin@EXAMPLE.COM's Password:

After entering the password, use the klist utility to view information about the Ticket Granting
Ticket (TGT):

klist

Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM

Issued Expires Principal
Jul 13 17:53:34 Jul 14 03:53:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM

You may need to add an entry into the /etc/hosts for the KDC. For example:

192.168.0.1 kdc01.example.com kdc01

Replacing 192.168.0.1 with the IP address of your KDC.

5. In order for clients to determine the KDC for the Realm some DNS SRV records are needed.

Add the following to /etc/named/db.example.com:

_kerberos._udp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 1 0 88 kdc01.example.com.
_kerberos._udp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM. IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM. IN SRV 1 0 464 kdc01.example.com.

72

Network Authentication

Replace EXAMPLE.COM, kdc01, and kdc02 with your domain name, primary KDC,
and secondary KDC.

See Chapter 7, Domain Name Service (DNS) [p. 83] for detailed instructions on setting up
DNS.

Your new Kerberos Realm is now ready to authenticate clients.

3.3. Secondary KDC

Once you have one Key Distribution Center (KDC) on your network, it is good practice to have a
Secondary KDC in case the primary becomes unavailable.

1. First, install the packages, and when asked for the Kerberos and Admin server names enter the

name of the Primary KDC:

sudo apt-get install krb5-kdc krb5-admin-server

2. Once you have the packages installed, create the Secondary KDC's host principal. From a

terminal prompt, enter:

kadmin -q "addprinc -randkey host/kdc02.example.com"

After, issuing any kadmin commands you will be prompted for your username/
admin@EXAMPLE.COM principal password.

3. Extract the keytab file:

kadmin -q "ktadd -k keytab.kdc02 host/kdc02.example.com"

4. There should now be a keytab.kdc02 in the current directory, move the file to /etc/

krb5.keytab:

sudo mv keytab.kdc02 /etc/krb5.keytab

If the path to the keytab.kdc02 file is different adjust accordingly.

Also, you can list the principals in a Keytab file, which can be useful when troubleshooting,
using the klist utility:

sudo klist -k /etc/krb5.keytab

5. Next, there needs to be a kpropd.acl file on each KDC that lists all KDCs for the Realm. For

example, on both primary and secondary KDC, create /etc/krb5kdc/kpropd.acl:

73

Network Authentication

host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM

6. Create an empty database on the Secondary KDC:

sudo kdb5_util -s create

7. Now start the kpropd daemon, which listens for connections from the kprop utility. kprop is used

to transfer dump files:

sudo kpropd -S

8. From a terminal on the Primary KDC, create a dump file of the principal database:

sudo kdb5_util dump /var/lib/krb5kdc/dump

9. Extract the Primary KDC's keytab file and copy it to /etc/krb5.keytab:

kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/kr5b.keytab

Make sure there is a host for kdc01.example.com before extracting the Keytab.

10. Using the kprop utility push the database to the Secondary KDC:

sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

There should be a SUCCEEDED message if the propagation worked. If there is an error
message check /var/log/syslog on the secondary KDC for more information.

You may also want to create a cron job to periodically update the database on the Secondary
KDC. For example, the following will push the database every hour:

# m h dom mon dow command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump && /usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

11. Back on the Secondary KDC, create a stash file to hold the Kerberos master key:

sudo kdb5_util stash

12. Finally, start the krb5-kdc daemon on the Secondary KDC:

sudo /etc/init.d/krb5-kdc start

The Secondary KDC should now be able to issue tickets for the Realm. You can test this by stopping
the krb5-kdc daemon on the Primary KDC, then use kinit to request a ticket. If all goes well you
should receive a ticket from the Secondary KDC.

74

Network Authentication

3.4. Kerberos Linux Client

This section covers configuring a Linux system as a Kerberos client. This will allow access to any
kerberized services once a user has successfully logged into the system.

3.4.1. Installation

In order to authenticate to a Kerberos Realm, the krb5-user and libpam-krb5 packages are needed,
along with a few others that are not strictly necessary but make life easier. To install the packages
enter the following in a terminal prompt:

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

The auth-client-config package allows simple configuration of PAM for authentication from multiple
sources, and the libpam-ccreds will cache authentication credentials allowing you to login in case
the Key Distribution Center (KDC) is unavailable. This package is also useful for laptops that may
authenticate using Kerberos while on the corporate network, but will need to be accessed off the
network as well.

3.4.2. Configuration

To configure the client in a terminal enter:

sudo dpkg-reconfigure krb5-config

You will then be prompted to enter the name of the Kerberos Realm. Also, if you don't have DNS
configured with Kerberos SRV records, the menu will prompt you for the hostname of the Key
Distribution Center (KDC) and Realm Administration server.

The dpkg-reconfigure adds entries to the /etc/krb5.conf file for your Realm. You should have
entries similar to the following:

[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}

You can test the configuration by requesting a ticket using the kinit utility. For example:

kinit steve@EXAMPLE.COM

Password for steve@EXAMPLE.COM:

When a ticket has been granted, the details can be viewed using klist:

75

Network Authentication

klist

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM

Valid starting Expires Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 07/25/08 05:18:57

Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

Next, use the auth-client-config to configure the libpam-krb5 module to request a ticket during login:

sudo auth-client-config -a -p kerberos_example

You will should now receive a ticket upon successful login authentication.

3.5. Resources

• For more information on Kerberos see the MIT Kerberos7 site.

• O'Reilly's Kerberos: The Definitive Guide8 is a great reference when setting up Kerberos.

• Also, feel free to stop by the #ubuntu-server IRC channel on Freenode9 if you have Kerberos
questions.

76

Network Authentication

4. Kerberos and LDAP

Replicating a Kerberos principal database between two servers can be complicated, and adds an
additional user database to your network. Fortunately, MIT Kerberos can be configured to use an
LDAP directory as a principal database. This section covers configuring a primary and secondary
kerberos server to use OpenLDAP for the principal database.

4.1. Configuring OpenLDAP

First, the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity
to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP
replication configured between at least two servers. For information on setting up OpenLDAP see
Section 1, “OpenLDAP Server” [p. 51].

It is also required to configure OpenLDAP for TLS and SSL connections, so that traffic between the
KDC and LDAP server is encrypted. See Section 1.6, “TLS and SSL” [p. 58] for details.

• To load the schema into LDAP, on the LDAP server install the krb5-kdc-ldap package. From a
terminal enter:

sudo apt-get install krb5-kdc-ldap

• Next, extract the kerberos.schema.gz file:

sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

• The kerberos schema needs to be added to the cn=config tree. The procedure to add a new schema
to slapd is also detailed in Section 1.2, “Configuration” [p. 51].

1. First, create a configuration file named schema_convert.conf, or a similar descriptive name,

containing the following lines:

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema

2. Create a temporary directory to hold the LDIF files:

77

Network Authentication

mkdir /tmp/ldif_output

3. Now use slapcat to convert the schema files:

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif

Change the above file and path names to match your own if they are different.

4. Edit the generated /tmp/cn\=kerberos.ldif file, changing the following attributes:

dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos

And remove the following lines from the end of the file:

structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z

The attribute values will vary, just be sure the attributes are removed.

5. Load the new schema with ldapadd:

ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif

6. Add an index for the krb5principalname attribute:

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

add: olcDbIndex

olcDbIndex: krbPrincipalName eq,pres,sub

modifying entry "olcDatabase={1}hdb,cn=config"

7. Finally, update the Access Control Lists (ACL):

ldapmodify -x -D cn=admin,cn=config -W

Enter LDAP Password:

dn: olcDatabase={1}hdb,cn=config

replace: olcAccess

olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=admin,dc=exampl

e,dc=com" write by anonymous auth by self write by * none

78

Network Authentication

-

add: olcAccess

olcAccess: to dn.base="" by * read

-

add: olcAccess

olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read

modifying entry "olcDatabase={1}hdb,cn=config"

That's it, your LDAP directory is now ready to serve as a Kerberos principal database.

4.2. Primary KDC Configuration

With OpenLDAP configured it is time to configure the KDC.

• First, install the necessary packages, from a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

• Now edit /etc/krb5.conf adding the following options to under the appropriate sections:

[libdefaults]
default_realm = EXAMPLE.COM

...

[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}

...

[domain_realm]
.example.com = EXAMPLE.COM

...

[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"

79

Network Authentication

# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}

Change example.com, dc=example,dc=com, cn=admin,dc=example,dc=com, and
ldap01.example.com to the appropriate domain, LDAP object, and LDAP server for your

network.

• Next, use the kdb5_ldap_util utility to create the realm:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

• Create a stash of the password used to bind to the LDAP server. This password is used by the
ldap_kdc_dn and ldap_kadmin_dn options in /etc/krb5.conf:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

• Copy the CA certificate from the LDAP server:

scp ldap01:/etc/ssl/certs/cacert.pem .
sudo cp cacert.pem /etc/ssl/certs

And edit /etc/ldap/ldap.conf to use the certificate:

TLS_CACERT /etc/ssl/certs/cacert.pem

The certificate will also need to be copied to the Secondary KDC, to allow the connection
to the LDAP servers using LDAPS.

You can now add Kerberos principals to the LDAP database, and they will be copied to any other
LDAP servers configured for replication. To add a principal using the kadmin.local utility enter:

sudo kadmin.local

Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM":
Principal "steve@EXAMPLE.COM" created.

80

Network Authentication

There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData
attributes added to the uid=steve,ou=people,dc=example,dc=com user object. Use the kinit and klist
utilities to test that the user is indeed issued a ticket.

If the user object is already created the -x dn="..." option is needed to add the Kerberos
attributes. Otherwise a new principal object will be created in the realm subtree.

4.3. Secondary KDC Configuration

Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the
normal Kerberos database.

• First, install the necessary packages. In a terminal enter:

sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

• Next, edit /etc/krb5.conf to use the LDAP backend:

[libdefaults]
default_realm = EXAMPLE.COM

...

[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}

...

[domain_realm]
.example.com = EXAMPLE.COM

...

[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"

# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

81

Network Authentication

# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}

• Create the stash for the LDAP bind password:

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

• Now, on the Primary KDC copy the /etc/krb5kdc/.k5.EXAMPLE.COM Master Key stash to the
Secondary KDC. Be sure to copy the file over an encrypted connection such as scp, or on physical
media.

sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~
sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/

Again, replace EXAMPLE.COM with your actual realm.

• Finally, start the krb5-kdc daemon:

sudo /etc/init.d/krb5-kdc start

You now have redundant KDCs on your network, and with redundant LDAP servers you should be
able to continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one
Kerberos server become unavailable.

4.4. Resources

• The Kerberos Admin Guide10 has some additional details.

• For more information on kdb5_ldap_util see Section 5.611 and the kdb5_ldap_util man page12.

• Another useful link is the krb5.conf man page13.

82

Chapter 7. Domain Name Service (DNS)

Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain
names (FQDN) to one another. In this way, DNS alleviates the need to remember IP addresses.
Computers that run DNS are called name servers. Ubuntu ships with BIND (Berkley Internet Naming
Daemon), the most common program used for maintaining a name server on Linux.

83

Domain Name Service (DNS)

1. Installation

At a terminal prompt, enter the following command to install dns:

sudo apt-get install bind9

A very useful package for testing and troubleshooting DNS issues is the dnsutils package. To install
dnsutils enter the following:

sudo apt-get install dnsutils

84

Domain Name Service (DNS)

2. Configuration

There a many ways to configure BIND9. Some of the most common configurations are a caching
nameserver, primary master, and a as a secondary master.

• When configured as a caching nameserver BIND9 will find the answer to name queries and
remember the answer when the domain is queried again.

• As a primary master server BIND9 reads the data for a zone from a file on it's host and is
authoritative for that zone.

• In a secondary master configuration BIND9 gets the zone data from another nameserver
authoritative for the zone.

2.1. Overview

The DNS configuration files are stored in the /etc/bind directory. The primary configuration file is /

etc/bind/named.conf.

The include line specifies the filename which contains the DNS options. The directory line in the /

etc/bind/named.conf.options file tells DNS where to look for files. All files BIND uses will be

relative to this directory.

The file named /etc/bind/db.root describes the root nameservers in the world. The servers change
over time, so the /etc/bind/db.root file must be maintained now and then. This is usually done
as updates to the bind9 package. The zone section defines a master server, and it is stored in a file
mentioned in the file option.

It is possible to configure the same server to be a caching name server, primary master, and secondary
master. A server can be the Start of Authority (SOA) for one zone, while providing secondary service
for another zone. All the while providing caching services for hosts on the local LAN.

2.2. Caching Nameserver

The default configuration is setup to act as a caching server. All that is required is simply adding the
IP Addresses of your ISP's DNS servers. Simply uncomment and edit the following in /etc/bind/

named.conf.options:

forwarders {

1.2.3.4;

5.6.7.8;

};

Replace 1.2.3.4 and 5.6.7.8 with the IP Adresses of actual nameservers.

Now restart the DNS server, to enable the new configuration. From a terminal prompt:

85

Domain Name Service (DNS)

sudo /etc/init.d/bind9 restart

See Section 3.1.2, “dig” [p. 90] for information on testing a caching DNS server.

2.3. Primary Master

In this section BIND9 will be configured as the Primary Master for the domain example.com. Simply
replace example.com with your FQDN (Fully Qualified Domain Name).

2.3.1. Forward Zone File

To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, the first step is to edit /

etc/bind/named.conf.local:

zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};

Now use an existing zone file as a template to create the /etc/bind/db.example.com file:

sudo cp /etc/bind/db.local /etc/bind/db.example.com

Edit the new zone file /etc/bind/db.example.com change localhost. to the FQDN of your
server, leaving the additional "." at the end. Change 127.0.0.1 to the nameserver's IP Address and
root.localhost to a valid email address, but with a "." instead of the usual "@" symbol, again leaving
the "." at the end.

Also, create an A record for ns.example.com. The name server in this example:

;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.example.com.
@ IN A 127.0.0.1
@ IN AAAA ::1
ns IN A 192.168.1.10

You must increment the Serial Number every time you make changes to the zone file. If you make
multiple changes before restarting BIND9, simply increment the Serial once.

86

Domain Name Service (DNS)

Now, you can add DNS records to the bottom of the zone file. See Section 4.1, “Common Record
Types” [p. 94] for details.

Many admins like to use the last date edited as the serial of a zone, such as 2007010100
which is yyyymmddss (where ss is the Serial Number)

Once you have made a change to the zone file BIND9 will need to be restarted for the changes to take
effect:

sudo /etc/init.d/bind9 restart

2.3.2. Reverse Zone File

Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required. A
Reverse zone allows DNS to resolve an address to a name.

Edit /etc/bind/named.conf.local and add the following:

zone "1.168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192";
};

Replace 1.168.192 with the first three octets of whatever network you are using. Also,
name the zone file /etc/bind/db.192 appropriately. It should match the first octet of your
network.

Now create the /etc/bind/db.192 file:

sudo cp /etc/bind/db.127 /etc/bind/db.192

Next edit /etc/bind/db.192 changing the basically the same options as /etc/bind/db.example.com:

;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA ns.example.com. root.example.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.example.com.

87

Domain Name Service (DNS)

The Serial Number in the Reverse zone needs to be incremented on each changes as well. For each A
record you configure in /etc/bind/db.example.com you need to create a PTR record in /etc/bind/

db.192.

After creating the reverse zone file restart BIND9:

sudo /etc/init.d/bind9 restart

2.4. Secondary Master

Once a Primary Master has been configured a Secondary Master is needed in order to maintain the
availability of the domain should the Primary become unavailable.

First, on the Primary Master server, the zone transfer needs to be allowed. Add the allow-transfer
option to the example Forward and Reverse zone definitions in /etc/bind/named.conf.local:

zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
};

zone "1.168.192.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
};

Replace 192.168.1.11 with the IP Address of your Secondary nameserver.

Next, on the Secondary Master, install the bind9 package the same way as on the Primary. Then edit
the /etc/bind/named.conf.local and add the following declarations for the Forward and Reverse
zones:

zone "example.com" {
type slave;
file "/var/cache/bind/db.example.com";
masters { 192.168.1.10; };
};

zone "1.168.192.in-addr.arpa" {
type slave;
file "/var/cache/bind/db.192";
masters { 192.168.1.10; };
};

88

Domain Name Service (DNS)

Replace 192.168.1.10 with the IP Address of your Primary nameserver.

Restart BIND9 on the Secondary Master:

sudo /etc/init.d/bind9 restart

In /var/log/syslog you should see something similar to:

slave zone "example.com" (IN) loaded (serial 6)
slave zone "100.18.172.in-addr.arpa" (IN) loaded (serial 3)

Note: A zone is only transferred if the Serial Number on the Primary is larger than the one
on the Secondary.

The default directory for non-authoritative zone files is /var/cache/bind/. This directory is
also configured in AppArmor to allow the named daemon to write to. For more information
on AppArmor see Section 4, “AppArmor” [p. 111].

89

Domain Name Service (DNS)

3. Troubleshooting

This section covers ways to help determine the cause when problems happen with DNS and BIND9.

3.1. Testing

3.1.1. resolv.conf

The first step in testing BIND9 is to add the nameserver's IP Address to a hosts resolver. The Primary
nameserver should be configured as well as another host to double check things. Simply edit /etc/

resolv.conf and add the following:

nameserver 192.168.1.10
nameserver 192.168.1.11

You should also add the IP Address of the Secondary nameserver in case the Primary
becomes unavailable.

3.1.2. dig

If you installed the dnsutils package you can test your setup using the DNS lookup utility dig:

• After installing BIND9 use dig against the loopback interface to make sure it is listening on port 53.
From a terminal prompt:

dig -x 127.0.0.1

You should see lines similar to the following in the command output:

;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)

• If you have configured BIND9 as a Caching nameserver "dig" an outside domain to check the
query time:

dig ubuntu.com

Note the query time toward the end of the command output:

;; Query time: 49 msec

After a second dig there should be improvement:

;; Query time: 1 msec

90

Domain Name Service (DNS)

3.1.3. ping

Now to demonstrate how applications make use of DNS to resolve a host name use the ping utility to
send an ICMP echo request. From a terminal prompt enter:

ping example.com

This tests if the nameserver can resolve the name ns.example.com to an IP Address. The command
output should resemble:

PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms

3.1.4. named-checkzone

A great way to test your zone files is by using the named-checkzone utility installed with the bind9
package. This utility allows you to make sure the configuration is correct before restarting BIND9 and
making the changes live.

• To test our example Forward zone file enter the following from a command prompt:

named-checkzone example.com /etc/bind/db.example.com

If everything is configured correctly you should see output similar to:

zone example.com/IN: loaded serial 6
OK

• Similarly, to test the Reverse zone file enter the following:

named-checkzone example.com /etc/bind/db.192

The output should be similar to:

zone example.com/IN: loaded serial 3
OK

The Serial Number of your zone file will probably be different.

3.2. Logging

BIND9 has a wide variety of logging configuration options available. There are two main options.
The channel option configures where logs go, and the category option determines what information to
log.

91

Domain Name Service (DNS)

If no logging option is configured the default option is:

logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};

This section covers configuring BIND9 to send debug messages related to DNS queries to a separate
file.

• First, we need to configure a channel to specify which file to send the messages to. Edit /etc/

bind/named.conf.local and add the following:

logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
};

• Next, configure a category to send all DNS queries to the query file:

logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
category queries { query.log; };
};

Note: the debug option can be set from 1 to 3. If a level isn't specified level 1 is the default.

• Since the named daemon runs as the bind user the /var/log/query.log file must be created and
the ownership changed:

sudo touch /var/log/query.log
sudo chown bind /var/log/query.log

• Before named daemon can write to the new log file the AppArmor profile must be updated. First,
edit /etc/apparmor.d/usr.sbin.named and add:

/var/log/query.log w,

Next, reload the profile:

cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r

For more information on AppArmor see Section 4, “AppArmor” [p. 111]

92

Domain Name Service (DNS)

• Now restart BIND9 for the changes to take effect:

sudo /etc/init.d/bind9 restart

You should see the file /var/log/query.log fill with query information. This is a simple
example of the BIND9 logging options. For coverage of advanced options see Section 4.2, “More
Information” [p. 94].

93

Domain Name Service (DNS)

4. References

4.1. Common Record Types

This section covers some of the most common DNS record types.

• A record: This record maps an IP Address to a hostname.

www IN A 192.168.1.12

• CNAME record: Used to create an alias to an existing A record. You cannot create a CNAME
record pointing to another CNAME record.

web IN CNAME www

• MX record: Used to define where email should be sent to. Must point to an A record, not a
CNAME.

IN MX 1 mail.example.com.
mail IN A 192.168.1.13

• NS record: Used to define which servers serve copies of a zone. It must point to an A record, not a
CNAME. This is where Primary and Secondary servers are defined.

IN NS ns.example.com.
IN NS ns2.example.com.
ns IN A 192.168.1.10
ns2 IN A 192.168.1.11

4.2. More Information

The DNS HOWTO1 explains more advanced options for configuring BIND9.

For in depth coverage of DNS and BIND9 see Bind9.net2.

DNS and BIND3 is a popular book now in it's fifth edition.

A great place to ask for BIND9 assistance, and get involved with the Ubuntu Server community, is the
#ubuntu-server IRC channel on freenode4.

1

http://www.tldp.org/HOWTO/DNS-HOWTO.html

2

http://www.bind9.net/

3

http://www.oreilly.com/catalog/dns5/index.html

4

http://freenode.net

94