Thomas Mullaly

DevOps, Security and IT Leadership

Ubuntu RID NFS Server

Network Configuration

rename to fileserver:

vi /etc/hostname
vi /etc/hosts

Create static interface and add the Active Directory Server as the DNS

vi /etc/network/interfaces
auto eth0
iface eth0 inet static
  address 10.10.10.30
  netmask 255.255.255.0
  network 10.10.10.0
  gateway 10.10.10.1
  dns-nameservers 10.10.10.10
  dns-search tom.edu

reboot and check if /etc/resolve.conf has the windows ad server as its dns

Get Kerberos working

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

use TOM.EDU as Realm

vi /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  
  [libdefaults]
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
  
  [appdefaults]
  pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
  }

test kerberos

[root@rid-nfs ~]# host -t srv _kerberos._tcp.tom.edu
_kerberos._tcp.tom.edu has SRV record 0 100 88 ad.tom.edu.

Samba and winbind

sudo apt-get install samba winbind
vi /etc/samba/smb.conf
#GLOBAL PARAMETERS
  [global]
     workgroup = TOM
     realm = TOM.EDU
     preferred master = no
     server string = Home Directory Server
     security = ADS
     encrypt passwords = yes
     log level = 3
     log file = /var/log/samba/%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind cache time = 10
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     idmap config TOM: backend = rid
     idmap config TOM: range = 10000-20000
     allow trusted domains = No
     template shell = /bin/bash
     template homedir = /home/%D/%U
     ;template primary group = "Domain Users"
  
  [homes]
     comment = Home Direcotries
     path = /export/home/
     valid users = %S
     read only = No
     browseable = No
     inherit acls = yes
     inherit permissions = yes
     writable = yes
  
  [printers]
     comment = All Printers
     path = /var/spool/cups
     browseable = no
     printable = yes
     guest ok = yes
vi nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat

restart winbind nmbd and smbd

join the domain

net ads join -U Administrator

test:

wbinfo -u
getent passwd

Setup the NFS Server

apt-get install acl nfs-kernel-server
mkdir /export/home

add user directories and modify permissions

vi /etc/exports
/export/home 10.10.10.0/24(rw,sync,no_subtree_check)

export the new directory

service nfs-kernel-server restart

test:

exportfs

Enable ACL support (important, this will fix file permission creation issues)

Open /etc/fstab, navigate to the entry for the home directory partition, and add acl to the list of options.

/dev/sda1 /export/home ext3 defaults,acl 0 0

With this option in place, remount the filesystem.

sudo mount -o remount /dev/sda1

My setup was a bit different in /etc/fstab

/dev/mapper/ubuntu-root /               ext4    errors=remount-ro,acl 0       1

Sign the Puppet Cert on Master

root@puppet:/etc/puppet# puppet cert list
  "fileserver.tom.edu" (MD5) E0:C3:90:FF:55:A8:81:A3:05:DD:61:A4:07:4B:EB:7B
root@puppet:/etc/puppet# puppet cert sign fileserver.tom.edu
Signed certificate request for fileserver.tom.umb.edu
Removing file Puppet::SSL::CertificateRequest fileserver.tom.edu at '/var/lib/puppet/ssl/ca/requests/fileserver.tom.edu.pem'

Go Setup the Linux Client

ubuntu rid client