This is part of a guide to setting up Ubuntu Server Edition 11.04 for a small/medium business. The server will provide DHCP, DNS, NTP, LDAP, Kerberos and NFS services such that users can login to any machine on the network and all their files and settings will be the same across the entire network.
The clients are going to be configured so that they mount home directories from the server and verify usernames/password using ldap and kerberos.
I will not cover installing Ubuntu Desktop on the client as there are hundreds of guides for this already, however, whilst installing I recommend you create a local user named “localadmin”. We will use this account to configure the client.
First we need to install some packages:
sudo apt-get install krb5-user libpam-krb5 libnss-ldapd nfs-common
If you’ve been following this guide from the beginning, you may not be prompted for some of the following information as it is provided by your DHCP server as configured earlier.
If asked to enter your default Kerberos Version 5 realm enter: “DANBISHOP.ORG”
You might then be asked for the address of the kerberos server: “neo.danbishop.org”
The address of the administrative server: “neo.danbishop.org”
The address of your ldap server: “ldap://neo.danbishop.org/”
LDAP server search base: “dc=danbishop,dc=org”
Finally, name services to configure. Make sure you select group, passwd and shadow!
Run
sudo pam-auth-update
And ensure that LDAP and Kerberos are selected.
Now to configure idmapd so that the client correctly maps user and group names to ids, to do this you simply need to change the domain to match your own in /etc/idmapd.conf like so:
sudo nano /etc/idmapd.conf
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = danbishop.org [Mapping] Nobody-User = nobody Nobody-Group = nogroup
Now for the home directories…
Although we have configured everything so that clients can get kerberos settings from DNS… kadmin does not fully support this 
This means we’re going to have to make a small change to /etc/krb5.conf on the clients to make the following steps a LOT easier.
Add the following to the [realms] section of /etc/krb5.conf:
[realms]
DANBISHOP.ORG = {
kdc = neo.danbishop.org
admin_server = neo.danbishop.org
master_kdc = neo.danbishop.org
default_domain = danbishop.org
}
Now we’re going to create a kerberos principal for NFS on the client like so:
kadmin -p dan/admin -q "addprinc -randkey nfs/dan-desktop.danbishop.org"
Having specified the admin server in /etc/krb5.conf we can run these command directly from the client.
Now we need to add the principal that’s just been created on the server, to the keytab file on the client:
sudo kadmin -p dan/admin -q "ktadd nfs/dan-desktop.danbishop.org"
Sadly, there is one final change that needs to be made to /etc/krb5.conf. We need to allow weak encryption for Kerberos in order for NFS to work. This should soon be fixed (11.04?) and if you’re interested in why this is the case there are numerous bug reports on launchpad. For now though add the following to the [libdefaults] section of /etc/krb5.conf:
allow_weak_crypto = true
Configuring NFS
NFS needs to be configured to use kerberos by editing /etc/default/nfs-common:
# If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=yes
Note that NEED_IDMAPD and NEED_GSSD have been set to yes.
AutoFS
Now we’re going to install and configure autofs to mount home directories on login.
Install the autofs package:
sudo apt-get install autofs
To configure autofs we will edit /etc/auto.master.
sudo nano /etc/auto.master
Here is the sample file provided by Ubuntu:
# # Sample auto.master file # This is an automounter map and it has the following format # key [ -mount-options-separated-by-comma ] location # For details of the format look at autofs(5). # #/misc /etc/auto.misc # # NOTE: mounts done from a hosts map will be mounted with the # "nosuid" and "nodev" options unless the "suid" and "dev" # options are explicitly given. # #/net -hosts # # Include central master map if it can be found using # nsswitch sources. # # Note that if there are entries for /net or /misc (as # above) in the included master map any keys that are the # same will not be seen as the first read key seen takes # precedence. # +auto.master
As you can see, everything except the last line is commented out. COMMENT OUT THE LAST LINE. Then take note of the format used by the examples. Each mount point is associated with another configuration file. We will create a new configuration file for our NFS share(s).
Add the following line at the end of /etc/auto.master:
/home /etc/auto.home
This creates a mount point at /home and configures it according to the settings specified in /etc/auto.home (which we are about to create).
Now we will create the file which countains our automounter map:
sudo nano /etc/auto.home
This file should contain a separate line for each NFS share. The format for a line is {mount point} [{mount options}] {location}.
* -fstype=nfs4,rw,soft,sec=krb5 neo.danbishop.org:/home/&
This will automount any directory you try to access in /home allowing any user to login
All that remains is to restart automount (personally I’d just reboot the machine) by running:
sudo service autofs restart
Finally, we want the local machine to use LDAP groups and users over local ones so that domain administrators will have admin access to every machine on the network. This is done by editing /etc/nsswtich.conf
sudo nano /etc/nsswitch.conf
By default the file looks like so:
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
We want to change passwd, group and shadow to use LDAP first:
passwd: ldap files group: ldap files shadow: ldap files
Now restart the client machine and you’re done! 