Friday, January 23, 2009

Mandriva One 2009... You made me say "WOW"

Today I installed Mandriva One 2009, a distribution which comes with a Linux Kernel, GNU software and many other custom made and free software. I installed this as a virtual machine, to test it and to see how Mandriva Directory Server performs on her own man's lap. ;-). So I started to install the packages requred for it, and while they are downloading, I went an inside tour. I was amazed, and couldn't hold the "wow" came from my inside...

Mandriva One 2009 comes with a Linux 2.6.27 kernel and I installed the KDE version of it which runs KDE 4.1. There is Gnome version too. Even though I'm not a KDE fan, I wanted to see how is KDE doing it to satisfy me. I was pretty amazed, the start menu is well organized, not too many options, and looked neat. That's some thing I was looking forward to see from a KDE main menu.

There were some cool widgets Which are ready to use and I activated couple of them just to see. And the default wallpapers are very eye catching.
Mandriva One comes with OpenOffice 3.0.0, and it was loading faster than the 2.x versions. Then I quickly went through the applications installed. There is almost all the major apps you need to run a Desktop enviorenment, Internet, Multimedia, Software Installation, Systems Tools, etc. If you need further apps you can easily installed using various methods, rpm, GUI based, or urpmi, etc. And Compiz was packed with the OS, and have all the 3D desktop effects you nee.



This version of Mandriva One 2009, comes with good collection of apps for the desktop users and is in a single CD. You can download it from their official mirrors. The System Requirements need is (as in the web site)
  • Processor: Any Intel®, AMD or VIA processor
  • RAM: 512MB minimum, 1GB recommended
  • Hard disk: 2GB minimum, 6GB recommended
  • Graphics card: NVIDIA®, ATITM, Intel®, SiS, Matrox,VIA. 3D desktop functionality requires an NVIDIA GeForce (up to 8800), ATITM Radeon 7000 to HD 3870, or Intel® i845 to x4500HD
  • 3D acceleration is supported on most capable hardware. For more details, check the hardware compatibility database
  • Sound cards: All Sound Blaster, AC97 and HDA compatible cards are supported. Note: Creative Labs X-Fi cards are not currently supported
  • DVD drive required
  • SATA, IDE, SCSI, SAS: most controllers are supported in non-RAID mode, and some are supported in RAID mode
So for those who are willing to kick Windows Vista away and also for those who are interested in trying out KDE 4.1 without the messy look, I think Mandriva One 2009 is a good distro to try out. It comes as a live user version and can be installed and make secure as a regular GNU/Linux distribution.

Okay It's time for me to get back to the work I was doing... Got to start playing with the Directory Server of it...

Mandriva Team, Good Work fellas!!!

Thursday, January 22, 2009

Fedora Directory Server, NFS, SAMBA in action.

I was working on a Centralized authentication system in the past couple of days. I was comparing Mandriva Directory Server with Fedora Directory Server and testing them in various levels. I thought of make the work available online so any one else in the world can benefit from this. This will not be a step-by-step guide sort of a thing, but have methods of performing the tasks.

My setup was able to;

  • Authenticate Unix and Windows users from an LDAP server (Fedora Directory Server).
  • Map a dedicated network drive for all the users under their username using SAMBA.
  • Enable roming profiles for POSIX accounts using NFS exports.
  • Control hardware on GNU/Linux based systems using PolicyKit.
  • And some other stuff... Like mail server authentication, etc
Scenario

  • Users must authenticate using LDAP user credentials from a central server.
  • Existing/New Windows and GNU/Linux Clients should be authenticated via LDAP server.
  • Use e-mail facility.
  • Control over selected client hardware (eg:usb pen drives, digital cameras, etc).

A very rough diagram ;-)


Testing tools

Hardware

* Intel Core Duo2
* 512MB RAM
* Networking Hardware

Software

* Fedora Directory Server 8.0
* Zimbra Collaboration Suite
* Apache 2.0
* Bind

Operating Systems

* Fedora Core 9 (For Authentication Server)
* Ubuntu GNU/Linux (Clients)
* MS Windows (Clients)

Server Installation

* Installed Fedora Core 9
* Installed Fedora Directory Server 7.1
* Installed Zimbra Collaboration Suite.

Client Installation

GNU/Linux

I have to perform few steps to set up GNU/Linux clients to authenticate with the Fedora Directory Server.

* First install the meta-package for LDAP authentication.

# apt-get install ldap-auth-client

* Then edit the /etc/ldap.conf file to suite our setup. I have to put following details in the ldap.conf file.


##Host

host 192.xxx.xxx.xxx

##The distinguished name of the search base

base dc =mydomain,dc=net

##LDAP version to use

ldap_version 3

Fiter to AND with uid=%s

pam filter objectclass=Account

pam_filter objectclass=posixAccount

Group member attribute

pam_member_attribute memberuid

pam_member_attribute uniquemember

##Password hash

pam_password md5


Leave the rest of the file as it is.


NFS Server set up

I thought of keeping the user’s files in a different server for security reasons. Hens I installed the NFS server in a different computer running Ubuntu GNU/Linux . (Actually I’m running the NFS server in virtual host)

* Installed NFS Server


# apt-get install portmap nfs-kernel-server


* I created a directory /home/nfs to create user home directories.

* edit the /etc/exports and added the following lines. This is to create the network shares.


/home/ *(rw,sync)


The above lines will give permission to all users to access /home/nfs with read write permissions.

After that I have to do export the shares

# exportfs -ra

* Restart the services

# /etc/init.d/portmap restart

#/etc/init.d/nfs-kernel-server restart


After I’ve done with the server side, next thing was to set up the clients to auto mount the NFS share.

* Installed the nfs modules in clients

# apt-get install portmap nfs-common

* Then installed the automount module

# apt-get install autofs


Then I need to deny access to all others and allow only for set I want.

* Edit the /etc/hosts.deny and enter the following lines.

portmap : ALL

* Edit the /etc/hosts.allow and entered the IP address of the NFS server

portmap : 192.xxx.xxx.xxx

Tip : When ever I edit a configuration file, it’s always better to put a comment before the edition. That way you can track your changes easily.

eg: in /etc/hosts.allow I’ve put a comment

#Anuradha added these lines..

portmap : 192.xxx.xxx.xxx


After that, try to mount the NFS share manually to check whether the setup is working.

# mount 192.168.0.166:/home/nfs /media/netdisk

(This is done in the client machine, and I have created a mount point in client’s /media directory.)

* Then add the following line in /etc/fstab to mount the share automatically at the computer startup.

192.xxx.xxx.xxx:/home/nfs /media/netdisk nfs rw initr 0 0

Tip: Set the permissions on the nfs share as read, write for every one in the /home/nfs. (This is until I separate the user directories for each user)

This was okay to mount a particular share in a client computer at every bootup. But, what I want is to mount the relevant users share up on his login. So at this moment I create a small shell script to get the user ID and mount the particular share. In order to get the job done from this script, I need to have the user NFS share being created in the NFS server. eg: /home/[username] in the NFS server.

The script looks like this.

#!/bin/bash
#Get logged in user and mount the NFS share.
logname > /tmp/users.txt
mount 192.168.0.116:/home/`cat /tmp/users.txt` /media/netdisk

I have to make this script run after the user login.

But this way the user’s profile will not be in a roaming mode. I wanted to test this as Ill. So made the /home directory of the user available from the NFS server.

* Create a directory for each and every user in the NFS server by the user’s user ID.

eg: # mkdir /home/user1

(I have give the mode as 777 for the time being…)

In the client machine, I have to configure the autofs.

* Add the following line to the /etc/auto.master

/home /etc/auto.home

* Then create a file /etc/auto.home and put the following line there.

* soft, initr, rsize=8192,wsize=8192,nosuid,noexec 192.168.0.116:/home &

* I added the following line in the /etc/auto.misc too.

/home -fstype=nfs 192.xxx.xxx.xxx:/home

* Finally you have to edit the /etc/fstab and make the /home directory hard mounted.

192.168.0.116:/home /home nfs rw,intr 0 0

When reboot and log in as test user “foo” with passwd “foo123”. The login was successful with one error.

“$HOME/.dmrc… some thing

To resolve this error, I setup a directory in the NFS server and named it same as the LDAP user ID and gave the permission as follows.


chown -R [usr_name] /home/[user_dir]

chmod -R 770 /home/[user_dir]

Then it set the home partition and also set the permission “world non-writeable”.

Authenticating Windows Clients.

* Use pGina plug-in to handle the ldap authentication.
* In pGina configuration select the ldapauto.dll plugin to configure the authentication.


Server 192.xxx.xxx.xxx
mode : Search

* Put the total dn and dc entry to the search base
* in pGina configuration you have to put your profile


H:\\192.xxx.xxx.xxx\home\samba\%username%

(this way it’ll seek the profile that comes under UID each login)

I Have to attach the /etc/samba/smb.conf file, that is the file which handles the sharing thing. But It's too long and will not be suitable for this post.)

Note: All unix users who wish to authenticate as NT users have to have samba user credentials too)

Blocking USB storage mounting.

In GNU/Linux

* Use Polkit-Gnome

Define policy kit in the client machine as below.

Under “Storage” section find “Mount file systems from removable drives”.

Then edit it;

Anyone : No

Console : No

Active Console : Admin Authentication

Then using Webmin, I can log in to LDAP server and manage LDAP users and groups. I can give sudo poIr to some user by adding that user to an admin group (GID 123). After I add the user to the admin group that user have sudo power and can mount USB pen drives. And keep in mind that the user gets admin power of that particular system too.

Tip: In Ubuntu Systems it's always a good idea to create the super user and secure it with a password. Else any one can activate the super user account and your system will be in risk.

sudo passwd root

In Windows

* Windows Local Security Policy.

Map a Samaba Share as a Network Drive for Windows.

* Installed samba in a GNU/Linux (ubuntu) server (In this case in the same machine which runs the NFS)
* Add a samba user to validate access

smbpasswd -a ‘username’ (here you enter a valid LDAP user name)

* Create directories under the same name, as in NFS and make them shared.

# mkdir /home/servername/share/user1


I created a small shell script to automate the user creation in NFS. (just for fun) But thought some one might get use of it.


#!/bin/bash
echo "Enter the new user name: "
read name
echo "Creating account for $name..."
sleep 2
echo "Creating NFS Share..."
`mkdir /home/$name`
`chown -R $name:2000 /home/$name`
`chmod -R 770 /home/$name`
echo "/home/$name --done"
sleep 2
echo "Creating Samba Share..."
`mkdir /home/virtual/$name`
`chown -R $name:2000 /home/virtual/$name`
`chmod -R 770 /home/virtual/$name`
`smbpasswd -a $name`
echo "NFS Share and Samba Share is ready for user $name"


The above script will get the input of the user name from the keyboard and create the NFS and SAMBA shares for that user. I only had to give the userID which I created in the LDAP as it is.

Please accept my apologies in not arranging this as a step-by-step how to. In GENERAL, I don't follow a structure when I work (In some CRITICAL cases, yes I do follow the steps...). I try to combine the work pieces from here and there and build a system in my way of doing it.

Cheers!