Thursday, January 22, 2009

Fedora Directory Server, NFS, SAMBA in action.

I was working on a Centralized authentication system in the past couple of days. I was comparing Mandriva Directory Server with Fedora Directory Server and testing them in various levels. I thought of make the work available online so any one else in the world can benefit from this. This will not be a step-by-step guide sort of a thing, but have methods of performing the tasks.

My setup was able to;

  • Authenticate Unix and Windows users from an LDAP server (Fedora Directory Server).
  • Map a dedicated network drive for all the users under their username using SAMBA.
  • Enable roming profiles for POSIX accounts using NFS exports.
  • Control hardware on GNU/Linux based systems using PolicyKit.
  • And some other stuff... Like mail server authentication, etc
Scenario

  • Users must authenticate using LDAP user credentials from a central server.
  • Existing/New Windows and GNU/Linux Clients should be authenticated via LDAP server.
  • Use e-mail facility.
  • Control over selected client hardware (eg:usb pen drives, digital cameras, etc).

A very rough diagram ;-)


Testing tools

Hardware

* Intel Core Duo2
* 512MB RAM
* Networking Hardware

Software

* Fedora Directory Server 8.0
* Zimbra Collaboration Suite
* Apache 2.0
* Bind

Operating Systems

* Fedora Core 9 (For Authentication Server)
* Ubuntu GNU/Linux (Clients)
* MS Windows (Clients)

Server Installation

* Installed Fedora Core 9
* Installed Fedora Directory Server 7.1
* Installed Zimbra Collaboration Suite.

Client Installation

GNU/Linux

I have to perform few steps to set up GNU/Linux clients to authenticate with the Fedora Directory Server.

* First install the meta-package for LDAP authentication.

# apt-get install ldap-auth-client

* Then edit the /etc/ldap.conf file to suite our setup. I have to put following details in the ldap.conf file.


##Host

host 192.xxx.xxx.xxx

##The distinguished name of the search base

base dc =mydomain,dc=net

##LDAP version to use

ldap_version 3

Fiter to AND with uid=%s

pam filter objectclass=Account

pam_filter objectclass=posixAccount

Group member attribute

pam_member_attribute memberuid

pam_member_attribute uniquemember

##Password hash

pam_password md5


Leave the rest of the file as it is.


NFS Server set up

I thought of keeping the user’s files in a different server for security reasons. Hens I installed the NFS server in a different computer running Ubuntu GNU/Linux . (Actually I’m running the NFS server in virtual host)

* Installed NFS Server


# apt-get install portmap nfs-kernel-server


* I created a directory /home/nfs to create user home directories.

* edit the /etc/exports and added the following lines. This is to create the network shares.


/home/ *(rw,sync)


The above lines will give permission to all users to access /home/nfs with read write permissions.

After that I have to do export the shares

# exportfs -ra

* Restart the services

# /etc/init.d/portmap restart

#/etc/init.d/nfs-kernel-server restart


After I’ve done with the server side, next thing was to set up the clients to auto mount the NFS share.

* Installed the nfs modules in clients

# apt-get install portmap nfs-common

* Then installed the automount module

# apt-get install autofs


Then I need to deny access to all others and allow only for set I want.

* Edit the /etc/hosts.deny and enter the following lines.

portmap : ALL

* Edit the /etc/hosts.allow and entered the IP address of the NFS server

portmap : 192.xxx.xxx.xxx

Tip : When ever I edit a configuration file, it’s always better to put a comment before the edition. That way you can track your changes easily.

eg: in /etc/hosts.allow I’ve put a comment

#Anuradha added these lines..

portmap : 192.xxx.xxx.xxx


After that, try to mount the NFS share manually to check whether the setup is working.

# mount 192.168.0.166:/home/nfs /media/netdisk

(This is done in the client machine, and I have created a mount point in client’s /media directory.)

* Then add the following line in /etc/fstab to mount the share automatically at the computer startup.

192.xxx.xxx.xxx:/home/nfs /media/netdisk nfs rw initr 0 0

Tip: Set the permissions on the nfs share as read, write for every one in the /home/nfs. (This is until I separate the user directories for each user)

This was okay to mount a particular share in a client computer at every bootup. But, what I want is to mount the relevant users share up on his login. So at this moment I create a small shell script to get the user ID and mount the particular share. In order to get the job done from this script, I need to have the user NFS share being created in the NFS server. eg: /home/[username] in the NFS server.

The script looks like this.

#!/bin/bash
#Get logged in user and mount the NFS share.
logname > /tmp/users.txt
mount 192.168.0.116:/home/`cat /tmp/users.txt` /media/netdisk

I have to make this script run after the user login.

But this way the user’s profile will not be in a roaming mode. I wanted to test this as Ill. So made the /home directory of the user available from the NFS server.

* Create a directory for each and every user in the NFS server by the user’s user ID.

eg: # mkdir /home/user1

(I have give the mode as 777 for the time being…)

In the client machine, I have to configure the autofs.

* Add the following line to the /etc/auto.master

/home /etc/auto.home

* Then create a file /etc/auto.home and put the following line there.

* soft, initr, rsize=8192,wsize=8192,nosuid,noexec 192.168.0.116:/home &

* I added the following line in the /etc/auto.misc too.

/home -fstype=nfs 192.xxx.xxx.xxx:/home

* Finally you have to edit the /etc/fstab and make the /home directory hard mounted.

192.168.0.116:/home /home nfs rw,intr 0 0

When reboot and log in as test user “foo” with passwd “foo123”. The login was successful with one error.

“$HOME/.dmrc… some thing

To resolve this error, I setup a directory in the NFS server and named it same as the LDAP user ID and gave the permission as follows.


chown -R [usr_name] /home/[user_dir]

chmod -R 770 /home/[user_dir]

Then it set the home partition and also set the permission “world non-writeable”.

Authenticating Windows Clients.

* Use pGina plug-in to handle the ldap authentication.
* In pGina configuration select the ldapauto.dll plugin to configure the authentication.


Server 192.xxx.xxx.xxx
mode : Search

* Put the total dn and dc entry to the search base
* in pGina configuration you have to put your profile


H:\\192.xxx.xxx.xxx\home\samba\%username%

(this way it’ll seek the profile that comes under UID each login)

I Have to attach the /etc/samba/smb.conf file, that is the file which handles the sharing thing. But It's too long and will not be suitable for this post.)

Note: All unix users who wish to authenticate as NT users have to have samba user credentials too)

Blocking USB storage mounting.

In GNU/Linux

* Use Polkit-Gnome

Define policy kit in the client machine as below.

Under “Storage” section find “Mount file systems from removable drives”.

Then edit it;

Anyone : No

Console : No

Active Console : Admin Authentication

Then using Webmin, I can log in to LDAP server and manage LDAP users and groups. I can give sudo poIr to some user by adding that user to an admin group (GID 123). After I add the user to the admin group that user have sudo power and can mount USB pen drives. And keep in mind that the user gets admin power of that particular system too.

Tip: In Ubuntu Systems it's always a good idea to create the super user and secure it with a password. Else any one can activate the super user account and your system will be in risk.

sudo passwd root

In Windows

* Windows Local Security Policy.

Map a Samaba Share as a Network Drive for Windows.

* Installed samba in a GNU/Linux (ubuntu) server (In this case in the same machine which runs the NFS)
* Add a samba user to validate access

smbpasswd -a ‘username’ (here you enter a valid LDAP user name)

* Create directories under the same name, as in NFS and make them shared.

# mkdir /home/servername/share/user1


I created a small shell script to automate the user creation in NFS. (just for fun) But thought some one might get use of it.


#!/bin/bash
echo "Enter the new user name: "
read name
echo "Creating account for $name..."
sleep 2
echo "Creating NFS Share..."
`mkdir /home/$name`
`chown -R $name:2000 /home/$name`
`chmod -R 770 /home/$name`
echo "/home/$name --done"
sleep 2
echo "Creating Samba Share..."
`mkdir /home/virtual/$name`
`chown -R $name:2000 /home/virtual/$name`
`chmod -R 770 /home/virtual/$name`
`smbpasswd -a $name`
echo "NFS Share and Samba Share is ready for user $name"


The above script will get the input of the user name from the keyboard and create the NFS and SAMBA shares for that user. I only had to give the userID which I created in the LDAP as it is.

Please accept my apologies in not arranging this as a step-by-step how to. In GENERAL, I don't follow a structure when I work (In some CRITICAL cases, yes I do follow the steps...). I try to combine the work pieces from here and there and build a system in my way of doing it.

Cheers!

4 comments:

oes tsetnoc said...

Hi, Just like to tell you that this piece of info is one quick to the point, no nonsense, workable and effective way to have directories shared in Solaris as fast as possible. It worked for me and thank you for the effort. Keep up the good work.

Dijeesh said...

thanks. it gave me root map and now I only have to traverse in real. will get back to tell my (success)story

Bishnu said...

HI Anuradha,
I want to know something about the power of Fedora group policy.Do you think that fedora has the same power in group policy that windows Ad has ??

cheers,
Bishnu

Anonymous said...

Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!