Scenario
Nethserver + nfsserver + linuxclient
I didn’t manage to get the nfs-server running on Nethserver,
so I use a dedicated machine for the nfs service.
As consequence, the homedirectories for the linux machines reside on the nfs server
and are not the same as those on the nethserver!
At the moment there is no synchronisation between the folders on Nethserver
and the nfs-server. That means, that your Windows-Clients will not see
the files, created by linux machines!
Modify Nethserver
yum install nethserver-directory
Common part for NFS-Server and Linuxclient
The first part of the installation is the same for the nfs-server and the client.
I made a script (see end of the page) that does all the steps automatically.
This here ist just the detailed description.
Step 1: Installing the software
aptitude install libnss-ldap libpam-ldap nscd ldap-utils nfs-kernel-server -y
For the client nfs-common should be enough - but the nfs-kernel-server works, too.
The following dialogs just set parameters in textfiles. We will modify them later
by and - so fill in, whatever you want
Step 2: Hosts - File /etc/hosts
If you have an working DNS server, this step might be obsolete.
If not, fill in the IP’s of your nethserver, nfsserver and client:
aaa.bbb.ccc.ddd nethserver.example.com nethserver
kkk.lll.mmm.nnn nfsserver.example.com nfsserver
rrr.sss.ttt.uuu thisclient.ecample.com thisclient
For me, I comment out the 127.0.1.1 line.
Step 3: pam
Delete use_authtok
in /etc/pam.d/common-password
Step 4: nsswitch
Add ldap to /etc/nsswitch.conf
passwd: compat ldap
group: compat ldap
shadow: compat ldap
Step 5: Create new /etc/ldap.conf
base dc=directory,dc=nh
uri ldap://${NETHSERVER_IP}/
ldap_version 3
binddn cn=libuser,dc=directory,dc=nh
rootbinddn cn=libuser,dc=directory,dc=nh
pam_password md5
ssl start_tls
nss_initgroups_ignoreusers avahi, avahiautoipd, backup, bin, colord, daemon, dnsmasq, games, gnats, hplip, irc, kernoops, libuuid, list, lp, mail, man, mdm, messagebus, news, proxy, pulse, root, rtkit, saned, speech-dispatcher, sshd, statd, sync, sys, syslog, tftp, usbmux, uucp, www-data
Step 6: Create new /etc/ldap/ldap.conf
Fill in your IP !
BASE dc=directory,dc=nh
URI ldap://${NETHSERVER_IP}:389
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
Step 7: Secret
Get the secret of libuser from the nethserver. You find it like so (on the server)
cat /var/lib/nethserver/secrets/libuser
Paste it in /etc/ldap.secret
This ist ONLY for the Linuxclient !!!
Step 8: Create homes
mkdir -p /var/lib/nethserver/home
chmod -R 777 /var/lib/nethserver
Step 9: /etc/fstab
Add the line and fill in your IP
${NFS_IP}://home /var/lib/nethserver/home nfs auto,bg 0 0
Step 10: Reboot
Be careful! If you do not yet have the NFS-Server, you will get a timeout, mounting the homes!
This is only for the NFS-Server
Step 10: Create Export directories
# create exportdirectories
mkdir -p /nfsexports/home
mkdir -p /nfsexports/data
chmod -R 777 /nfsexports
# create a local data-directory
mkdir -p /opt/data
chmod -R 777 /opt/data
Step 11: Create bindmounts in /etc/fstab
Add the following lines
/home /nfsexports/home none bind 0 0
/home /nfsexports/data none bind 0 0
step 12: Create /etc/exports
Add the following lines
/nfsexports 172.16.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/nfsexports/home 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
/nfsexports/data 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
Step 13: Usermanagement
Unfortunately I didn’t manage to the pam-modules working, that create Userhomes at login across nfs-mounts. So you have to create the homedirectories for the users and set the Ownership.
EXTRA
If you do a user-import with a csv-file, they will get the wrong loginshell. To change that, follow the steps:
Step A: Create a file with the "dn"s:
ldapsearch -Y EXTERNAL dn|grep People|grep -v "^#" > dn.csv
Step B: Modify the file
Delete all users, you don’t want to change
Step C: Create a script to produce a LDIF-File
Newline=$'\n'
IFS=$Newline
for dn in `cat dn.csv`;
do
echo $dn >> bashing.ldif
echo "changetype: modify" >> bashing.ldif
echo "replace: loginshell" >> bashing.ldif
echo "loginshell: /bin/bash" >> bashing.ldif
echo "" >> bashing.ldif
done
Step D: Import the LDIF-File
ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f bashing.ldif
SCRIPT
I hope, the pasting didn’t ruin the script I tested it with some machines - and it worked.
It can be used to install a nfsserver AND a ldapclient
There might be a timeout, when the clientmachine boots, because of a timing-problem.
The mounting of the home-dirs could happen before the network is ready.
(the nfs-server install-part is not yet testet ( function at the bottom of the script)!
#!/bin/bash
DLG_TITLE="Ldap_client_config"
# Some dialogs for the settings
NETHSERVER_FQDN=$(whiptail --title "$DLG_TITLE" --inputbox "Full Nethservername?" 10 60 nethy.niedernburg.intranet 3>&1 1>&2 2>&3)
NETHSERVER_IP=$(whiptail --title "$DLG_TITLE" --inputbox "IP of Nethserver?" 10 60 172.16.253.3 3>&1 1>&2 2>&3)
NFS_IP=$(whiptail --title "$DLG_TITLE" --inputbox "IP of NFS Server?" 10 60 172.16.253.5 3>&1 1>&2 2>&3)
NFS_HOSTNAME=$(whiptail --title "$DLG_TITLE" --inputbox "HOSTNAME of NFS Server?" 10 60 nfsserver 3>&1 1>&2 2>&3)
MYSECRET=$(whiptail --title "$DLG_TITLE" --inputbox "Ldap secret of libuser" 10 60 secretsescret 3>&1 1>&2 2>&3)
# if we dont get the IP, we can enter it here
MY_IP=`ip addr show eth0|grep inet|head -n1|cut -d" " -f6|cut -d"/" -f1`
CLIENT_IP=$(whiptail --title "$DLG_TITLE" --inputbox "IP of this machine" 10 60 $MY_IP 3>&1 1>&2 2>&3)
# split the FQDN in hostame and domain parts
OLD_IFS="$IFS"
IFS="."
eval 'arr=($NETHSERVER_FQDN)'
NETHSERVER_HOSTNAME=${arr[0]}
dc1=${arr[1]}
dc2=${arr[2]}
IFS="$OLD_IFS"
################## changing files ...
# /etc/pam.d/common-password: delete use_authok
sed -i s/use_authtok// /etc/pam.d/common-password
# /etc/nsswitch : add ldap as search location
sed -i s/compat/compat\ ldap/ /etc/nsswitch.conf
# /etc/hosts
sed -i s/127.0.1.1/#127.0.1.1/ /etc/hosts
echo $CLIENT_IP ${HOSTNAME}.$dc1.$dc2 $HOSTNAME >> /etc/hosts
echo $NETHSERVER_IP $NETHSERVER_FQDN $NETHSERVER_HOSTNAME >> /etc/hosts
echo $NFS_IP $NFS_HOSTNAME.$dc1.$dc2 $NFS_HOSTNAME >> /etc/hosts
# create content of /etc/ldap.conf
ldap1_conf=$(cat <<EOF
base dc=directory,dc=nh
uri ldap://${NETHSERVER_IP}/
ldap_version 3
binddn cn=libuser,dc=directory,dc=nh
bindpw $MYSECRET
rootbinddn cn=libuser,dc=directory,dc=nh
pam_password md5
ssl start_tls
nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,list,lp,mail,man,mdm,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,statd,sync,sys,syslog,tftp,usbmux,uucp,www-data
EOF
)
# /etc/ldap.conf: make backup and write new file
cp /etc/ldap.conf /etc/ldap.conf.sik
echo "$ldap1_conf" > /etc/ldap.conf
# create content of /etc/ldap/ldap.conf
ldap2_conf=$(cat <<EOF
BASE dc=directory,dc=nh
URI ldap://${NETHSERVER_IP}:389
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
EOF
)
# /etc/ldap.conf: make backup and write new file
cp /etc/ldap/ldap.conf /etc/ldap/ldap.conf.sik
echo "$ldap2_conf" > /etc/ldap/ldap.conf
# save password in file
echo "$MYSECRET" > /etc/ldap.secret
############### Splitting up between client and nfs-server
function client(){
#update fstab
mkdir -p /var/lib/nethserver/home
chmod -R 777 /var/lib/nethserver
echo "${NFS_IP}://home /var/lib/nethserver/home nfs auto,bg 0 0" >> /etc/fstab
echo "Please reboot the machine now!"
}
function nfs(){
# create exportdirectories
mkdir -p /nfsexports/home
mkdir -p /nfsexports/data
chmod -R 777 /nfsexports
# create a local data-directory
mkdir -p /opt/data
chmod -R 777 /opt/data
# entries for the bindmounts in the /etc/fstab
bindmounts=$(cat <<EOF
"/home /nfsexports/home none bind 0 0"
"/home /nfsexports/data none bind 0 0"
EOF
)
# entries in /etc/exports
exports=$(cat <<EOF
/nfsexports 172.16.0.0/16(rw,fsid=0,insecure,no_subtree_check,async)
/nfsexports/home 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
/nfsexports/data 172.16.0.0/16(rw,nohide,insecure,no_subtree_check,async)
EOF
)
echo "$exports" >> /etc/exports
echo "$bindmounts" >> /etc/fstab
}
OPTION=$(whiptail --title "Inst. Type" --menu "Choose your option" 15 60 4 \
"1" "Normal Ldapclient" \
"2" "NFS-Server" 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus = 0 ]; then
case "$OPTION" in
1) client ;;
2) nfs;;
*) echo "should not happen";;
esac
else
echo "can that happen?"
fi