Thomas Mullaly

DevOps, Security and IT Leadership

Ubuntu RID NFS Server

Network Configuration

rename to fileserver:

vi /etc/hostname
vi /etc/hosts

Create static interface and add the Active Directory Server as the DNS

vi /etc/network/interfaces
auto eth0
iface eth0 inet static

reboot and check if /etc/resolve.conf has the windows ad server as its dns

Get Kerberos working

sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

use TOM.EDU as Realm

vi /etc/krb5.conf
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes
  pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

test kerberos

[root@rid-nfs ~]# host -t srv has SRV record 0 100 88

Samba and winbind

sudo apt-get install samba winbind
vi /etc/samba/smb.conf
     workgroup = TOM
     realm = TOM.EDU
     preferred master = no
     server string = Home Directory Server
     security = ADS
     encrypt passwords = yes
     log level = 3
     log file = /var/log/samba/%m
     max log size = 50
     printcap name = cups
     printing = cups
     winbind enum users = Yes
     winbind enum groups = Yes
     winbind use default domain = Yes
     winbind nested groups = Yes
     winbind separator = +
     winbind cache time = 10
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     idmap config TOM: backend = rid
     idmap config TOM: range = 10000-20000
     allow trusted domains = No
     template shell = /bin/bash
     template homedir = /home/%D/%U
     ;template primary group = "Domain Users"
     comment = Home Direcotries
     path = /export/home/
     valid users = %S
     read only = No
     browseable = No
     inherit acls = yes
     inherit permissions = yes
     writable = yes
     comment = All Printers
     path = /var/spool/cups
     browseable = no
     printable = yes
     guest ok = yes
vi nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat

restart winbind nmbd and smbd

join the domain

net ads join -U Administrator


wbinfo -u
getent passwd

Setup the NFS Server

apt-get install acl nfs-kernel-server
mkdir /export/home

add user directories and modify permissions

vi /etc/exports

export the new directory

service nfs-kernel-server restart



Enable ACL support (important, this will fix file permission creation issues)

Open /etc/fstab, navigate to the entry for the home directory partition, and add acl to the list of options.

/dev/sda1 /export/home ext3 defaults,acl 0 0

With this option in place, remount the filesystem.

sudo mount -o remount /dev/sda1

My setup was a bit different in /etc/fstab

/dev/mapper/ubuntu-root /               ext4    errors=remount-ro,acl 0       1

Sign the Puppet Cert on Master

root@puppet:/etc/puppet# puppet cert list
  "" (MD5) E0:C3:90:FF:55:A8:81:A3:05:DD:61:A4:07:4B:EB:7B
root@puppet:/etc/puppet# puppet cert sign
Signed certificate request for
Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/'

Go Setup the Linux Client

ubuntu rid client