Friday 24 June 2011

HOWTO: Setup an NFS server and client for LDAP

In this example I am going to setup a shared home directory to hold user homes. You would typically use this if you are using a centralised LDAP server to authenticate users.

Pre-requisites:
A standard Ubuntu server with working network and pingable by name.

You have relocated your local "sudo" user out of the default /home directory.


Configure the Server.

Note:
We are going to use an NFS server to centrally locate our users home directories. Build or select one of your existing Ubuntu servers to act as the host.

My server is called nfs.tuxnetworks.com and I have made sure that it can be pinged by name by my LAN clients.


Login to your NFS server as root;

Install the server software;

~# apt-get install nfs-kernel-server

Create a folder for the user home directories;

~# mkdir -p /store/ldaphomes

To export the directory edit your exports file;

~# vi /etc/exports/

Add this line;
/store/ldaphomes          *(rw,sync,no_subtree_check,no_root_squash)


Restart the NFS server;

~# service nfs-kernel-server restart

Configure the Client.

Install the NFS client;

~# apt-get install nfs-common

We are going to mount our NFS share on /home;

Note:
If you have any home directories in /home, these will become hidden under the mounted directory. Ideally there will be no existing users in /home because you will have shifted your local admin user somewhere else.


Edit your fstab file;

~$ sudo vi /etc/fstab

Add a line like this;
nfs.tuxnetworks.com:/store/ldaphomes      /home  nfs defaults 0 0


Note:
If your /home directory was already being mounted to a block device then you should comment this entry out in your fstab file.

Mount the directory;

~$ sudo mount /home

You can check that it has worked using the df command

nfs:/exports/ldaphomes
                     961432576 153165824 759428608  17% /home


And thats it!

Thursday 23 June 2011

HOWTO: Change your default user account to a system account

When you deploy a new Ubuntu installation, the first user it creates (uid=1000) will be given sudo privileges.

Sometimes it is desirable to have a specific "admin" user on your system that is separate from your normal user accounts which are located in the uid=1000+ range.

For example, if you are setting up an LDAP network.

Unfortunately, you can't set the uid manually during the initial installation process but you can change it afterwards.

Note:
If you make a mistake during this procedure it is possible to lock yourself out of the system completely. This is not such an issue if this is a freshly installed system but if it is already up and running in some sort of role, then you need to be extra careful. You have been warned!

I am working here with a fresh Lucid server install, and my uid=1000 user is called "sysadmin".

Login to a console session as root;

~$ sudo -i

Manually edit your passwd file;

~# vi /etc/passwd

At the end of the file will be the entry for the "sysadmin" account;

sysadmin:x:1000:1000:system admin,,,:/home/sysadmin:/bin/bash

Change the two "1000"'s to "999";

sysadmin:x:999:999:system admin,,,:/home/sysadmin:/bin/bash

Make the same change in the "group" file;

vi /etc/group

Change the "sysadmin" line to;

sysadmin:x:999:

Changing the uid of a user will break the permissions in their home directory;
~# ls -al /home/sysadmin
total 32
drwxr-xr-x 3 1000 1000 4096 2011-06-23 13:34 .
drwxr-xr-x 3 1000 1000 4096 2011-06-23 13:32 ..
-rw------- 1 1000 1000 48 2011-06-23 13:34 .bash_history
-rw-r--r-- 1 1000 1000 220 2011-06-23 13:32 .bash_logout
-rw-r--r-- 1 1000 1000 3103 2011-06-23 13:32 .bashrc
drwx------ 2 1000 1000 4096 2011-06-23 13:33 .cache
-rw-r--r-- 1 1000 1000 675 2011-06-23 13:32 .profile
-rw-r--r-- 1 1000 1000 0 2011-06-23 13:33 .sudo_as_admin_successful
-rw------- 1 1000 1000 663 2011-06-23 13:34 .viminfo

You can fix that by issuing the following commands;

~# chown sysadmin:sysadmin /home/sysadmin
~# chown sysadmin:sysadmin /home/sysadmin/.*


When we setup LDAP later we will want to mount /home to an NFS share. Unfortunately, when we do this we will overwrite our sysadmin's home folder! Let's move it to the root ("/") directory.

~# mv /home/sysadmin /

We will need to change the path in the passwd file;

~# vi /etc/passwd

Change it from;

sysadmin:x:999:999:sysadmin,,,:/home/sysadmin:/bin/bash

to this;

sysadmin:x:999:999:sysadmin,,,:/sysadmin:/bin/bash

Check that all is well;
~# ls -al /sysadmin
total 32
drwxr-xr-x 3 sysadmin sysadmin 4096 2011-06-23 13:34 .
drwxr-xr-x 23 root root 4096 2011-06-24 11:29 ..
-rw------- 1 sysadmin sysadmin 48 2011-06-23 13:34 .bash_history
-rw-r--r-- 1 sysadmin sysadmin 220 2011-06-23 13:32 .bash_logout
-rw-r--r-- 1 sysadmin sysadmin 3103 2011-06-23 13:32 .bashrc
drwx------ 2 sysadmin sysadmin 4096 2011-06-23 13:33 .cache
-rw-r--r-- 1 sysadmin sysadmin 675 2011-06-23 13:32 .profile
-rw-r--r-- 1 sysadmin sysadmin 0 2011-06-23 13:33 .sudo_as_admin_successful
-rw------- 1 sysadmin sysadmin 663 2011-06-23 13:34 .viminfo


On another console, confirm that you can login as the sysadmin user.

You should get a proper bash prompt;

sysadmin@galileo:~$

Note:
If your system has a GUI login, be aware that the logon screen will not display usernames for users with a UID of less than 1000. To login using the "sysadmin" account in such a case, you would need to type the name in to the username field manually.

Tuesday 21 June 2011

Getting Up To Speed With IPv6: Get Your LAN Clients Online

This is the latest installment in my series of getting IPv6 working on your network.

Pre-requisites: A router with a working Hurricane Electric IPv6 Tunnel

OK, We will be working on your IPv6 enabled router.

Start by logging in to a console session as root;

sudo -i

First we must enable IPv6 forwarding.

Edit this file;

vi /etc/sysctl.conf

Uncomment this line;

net.ipv6.ip_forward=1

Because we are needing our LAN clients to route out to the Internet they will need to be on their own subnet. Take a look at the "Tunnel Details" page for your tunnel at the Hurricane Electric website.

Mine looks like this;



See the section called "Routed IPv6 Prefixes"?

Note down the address for the "Routed /64:" subnet.

For routing to work, just like IPv4, our server must have a static IP address in that subnet.

Edit your interfaces file;

vi /etc/network/interfaces

Add the following lines;
#IPV6 configuration
iface eth0 inet6 static
address 2001:470:d:1018::1
netmask 64
gateway 2001:470:c:1018::2


You will notice that I have chosen to use the "1" address in my routed subnet and the default gateway is set to be the address of my local end of the IPv6 tunnel.

At this point you should reboot the router, and then log back in again as root.

On IPv6 we don't need to use DHCP to provide addresses to our LAN clients (although we can if we want to). Instead of being given an address, our clients will create their own addresses based on the network prefix that our router will advertise on the LAN. This is done using a program called radvd (Router Advertisment Daemon).

Install radvd;

apt-get install radvd

To configure raddvd we need to create the following file;

vi /etc/radvd.conf

Enter the following code;
interface eth0 { 
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
prefix 2001:470:d:1018::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};


Note that the prefix here is the same subnet prefix that we used in the previous step (sans the "1" address we added).

Now we can start the radvd service;

service start raddvd

You should now be able to go to a LAN client, refresh the IP address and see that you have a proper IPv6 address!

Lets take a look at a clients address;;
ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:64:cf:4d
inet addr:10.1.1.61 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: 2001:470:d:1018:5054:ff:fe64:cf4d/64 Scope:Global
inet6 addr: fe80::5054:ff:fe64:cf4d/64 Scope:Link

As you can see, our LAN client now has an IPv6 Address in our routed subnet.

Try a ping to google;
ping6 ipv6.google.com -c 4
PING ipv6.google.com(2404:6800:4006:802::1012) 56 data bytes
64 bytes from 2404:6800:4006:802::1012: icmp_seq=1 ttl=54 time=444 ms
64 bytes from 2404:6800:4006:802::1012: icmp_seq=2 ttl=54 time=440 ms
64 bytes from 2404:6800:4006:802::1012: icmp_seq=3 ttl=54 time=436 ms
64 bytes from 2404:6800:4006:802::1012: icmp_seq=4 ttl=54 time=437 ms


At this point you should be able to browse on your client to ip6-test.com and test your IPv6 again.



If all is good, you will get 10/10 tests right. If your DNS provider let's you down and you get a 9 don't worry too much, we will cover that topic later.

OK, so your clients now have routable IPv6 address's which is great. However this does introduce some important security related concerns that we must address.

Normally your LAN clients are protected from outside miscreants because they are behind NAT and can't be reached from outside your network.

With IPv6 there is no NAT so all your machines can be reached directly. If you have access to a IPv6 enabled machine outside of your own network try pinging the IP address of one of your LAN clients. You will find that it responds without hesitation. This is especially problematic for any Windows clients on your LAN. Windows listens on a ridiculous number of open ports by default which in turn exposes these clients to attacks from the outside world.

Again from the outside network. try doing "nmap -6 to an address on your LAN. Look at all those listening ports that are wide open to the Internet!

Fortunately, it is not hard to block the Internet from getting to your LAN. In fact it works exactly the same as iptables.

If you already have an iptables script then add some lines similar to this;
LAN=eth0
IP6WAN=ip6tunnel

# Allow returning packets for established sessions
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept ALL packets coming from our local networks
sudo /sbin/ip6tables -A INPUT -i $LAN -j ACCEPT
sudo /sbin/ip6tables -A INPUT -i lo -j ACCEPT
sudo /sbin/ip6tables -A FORWARD -i $LAN -j ACCEPT

# Allow all traffic out from this host
ip6tables -A OUTPUT -j ACCEPT

# Drop all other traffic from WAN
ip6tables -A INPUT -i $IP6WAN -j DROP
ip6tables -A FORWARD -i $IP6WAN -j DROP

As you can see, it is no different than using iptables, apart from the name of course.

With your firewall in place, try doing another nmap -PN -6 scan to your client and this time you should see something like this;
nmap -PN  -6 2001:470:d:1018:5054:ff:fe64:cf4d

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-21 12:23 EST
All 1000 scanned ports on 2001:470:d:1018:5054:ff:fe64:cf4d are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.41 seconds

Monday 20 June 2011

HOWTO: Mounting shares with autofs

This is my slightly modified version of the official Ubuntu documentation.

Normally I mount my NFS shares the old way by putting a line in my fstab file.

This does have some drawbacks, particularly when a share is rarely used, or when an NFS server disappears for whatever reason and leaving a hung share.

There is another way to manage your NFS share, and that is using autofs.

autofs is a program for automatically mounting directories on an as-needed basis. Auto-mounts are mounted only as they are accessed, and are unmounted after a period of inactivity. Because of this, automounting NFS/Samba shares conserves bandwidth and offers better overall performance compared to static mounts via fstab.

This article describes configuring autof with indirect mapping. I wrote another article on how to configure direct mapping here

Here's how to get it working.

First up, we need to install autofs from the Ubuntu repositories;

sudo apt-get install autofs

I keep all my mounted filesystems in a directory called /store. Of course you can use what ever directory you like.

autofs will create any mountpoints as they are required, all we need to do is to tell it where to create them.

Edit your auto.master file;

sudo vi /etc/auto.master

Add a line like this;

/store /etc/auto.store

What that line says is that the directory /store is managed by the file /etc/auto.store

Let's create the auto.store file now;

sudo vi /etc/auto.store

I want to mount an export called "archive" which is on the server "nfs". This is the line I enter;

archive nfs:/store/archive

The first word "archive", is the mount point that will be created in the /store directory and the rest is the server name and export.

Make sure you create the store directory;

sudo mkdir /store

Restart autofs;

sudo service autofs restart

Check to see if it is working;
ls /store/archive

audio ebooks homes iso lost+found video


Eureka!

For more information on autofs including more detailed technical details, see the documentation here.

FIX: Boxee Plays in Black and White

After recently getting Boxee to work on Ubuntu Natty I discovered a new problem. It seems that everything that plays does so in black & white.

To fix it you need to edit a file in your Boxee profile;

vi ~/.boxee/UserData/guisettings.xml

Find "rendermethod" in the XML code.

Change the enclosed value from "0" to "1"

<rendermethod>1</rendermethod>

Sunday 19 June 2011

HOWTO: Boxee on 11.04 Natty

These are the steps I took, which is based on the work done by Maxo.

First up, you need the Debian installer from the Boxee website. If you don't already have it go ahead and download it then place it in your home directory. I'm using the AMD64 package, which is called boxee-0.9.22.13692.x86_64.modfied.deb

Login to a console, we will be working only in our home directory.

Run these commands;

dpkg-deb -x boxee-0.9.22.13692.x86_64.modfied.deb boxee
dpkg-deb --control boxee-0.9.22.13692.x86_64.modfied.deb boxee/DEBIAN


Now we need to edit the file that lists the dependencies;

vi boxee/DEBIAN/control

Find libxmlrpc-c3 in this file and append -0 (that's a zero) to the end of it so that it now says "libxmlrpc-c3-0".

That's the only change we need to make but we do need to create a new Debian package file now that we have fixed the dependency problem.

dpkg -b boxee boxee-0.9.22.13692.x86_64.natty.deb

Before we can install Boxee, we will need to manually install all the dependencies;

sudo apt-get install libcurl3 libsdl-image1.2 libsdl-gfx1.2-4 liblzo2-2 \
libdirectfb-1.2-9 libnss3-1d flashplugin-nonfree libhal-storage1 screen \
msttcorefonts libtre5 libmad0 libxmlrpc-c3-0 libnspr4-0d xsel libmms0 libenca0


With our dependencies installed we can now install our modified package;

sudo dpkg -i boxee-0.9.22.13692.x86_64.natty.deb

And with that you should have a working Boxee on your Ubuntu Natty system.

It would be nice if the Boxee guys would update their packages occasionally but I guess the reality is that they want to make you purchase a "Boxee Box" instead.

This is the trouble with being at the mercy of the source code owner I guess. If Boxee were open source somebody would have already rebuilt the packages and we wouldn't have to dick around like this in the first place.

Update: I don't know if this is Natty specific bug, but I ran into another problem where Boxee would play video in black and white. If that happens to you, here is how to fix it.

When Upgrades Go Bad

Recently I decided to do a bit of a hardware refresh on my home server. This involved the purchase of an AMD E-350 based motherboard to replace my old Atom D510.

Unfortunately things went slightly awry when I realised that my existing server used a Compact Flash to IDE adaptor and the new board I had bought had no IDE interface.

DOH!

I ended up having to replace the Compact Flash adapter with a spare SSD that I had lying around and do an entire OS reinstall.

It was then that I struck another problem when I discovered that I couldn't find a 10.04 Server CD anywhere.

So, with my server in pieces and no Internet access I was forced to install Natty 11.04 x64 Desktop to get the thing back up and running.

It was my intention to convert this desktop install to something resembling a server install by installing the server kernel and removing all the Gnome, Unity and X packages.

Then I had another bright idea. I have an Acer Revo running Boxee as a HTPC sitting right next to the server. What if, I thought, I leave the desktop on the server?

If I did that then I could get rid of the Revo and run Boxee directly on the server.

Brilliant!

So, off I go to the Boxee site to get the x64 binary and while there I note that they still haven't updated their packages from over a year ago. That's the sort of thing that really annoys me about closed source software but as yet there is nothing open source that is anywhere near as slick as Boxee, so I guess I'm stuck using it for now.

But I digress.

I also note that the Boxee site only specifies packages for Lucid and Maverick, there is no mention of Natty at all. Hmmmm.

Undaunted, I go ahead and download the Maverick deb package.

However, when I go to install the package I strike my next problem;

"Dependency is not satisfiable: libxmlrpc-c3"

Damn!

A quick google search and I find this site and this site

It seems that some genius at Debian or Ubuntu has decided to rename the package from "libxmlrpc-c3" to "libxmlrpc-c3-0".

I really hate that.

The good news is that you can edit the Boxee deb package to change the dependency so it looks for the new name.

I followed the instructions provided by Maxo but because I was working in a remote ssh session things worked a bit differently. Maxo used Ubuntu Software Centre which worked out all the dependencies for him.

dpkg wouldn't do that. Normally this is OK, because you can simply use apt-get install -f to fix any outstanding unbroken dependencies but in this case all apt-get install -f wanted to do was remove Boxee again. The only way to get things working was to install all the dependencies first and then install Boxee.

Eventually everything worked out OK, and you can do it yourself using the instructions here.

Wednesday 15 June 2011

Managing Deluge Daemon

I use Deluge bit torrent client on a couple of headless machines. There's not much to it, you can learn how to set it up here

However up until now I've been manually bringing it up and down at the command line, it's not hard but I thought I'd streamline it a bit by making a script.

Download or copy+paste this script into a file called "torrents" and make it executable;

#!/bin/bash

FLAG="/tmp/torrents_on"
UPDATE_FIREWALL="/store/scripts/firewall"

# Checking for dependancies
if [ ! ${DELUGED=`which deluged`} ] ; then echo "ERROR : Can't find 'deluged' on your system, aborting" ; exit 1; fi
if [ ! ${DELUGE_WEB=`which deluge-web`} ] ; then echo "ERROR : Can't find 'deluge-web' on your system, web interface will be disabled" ; exit 1; fi

DELUGED_PID=`ps ax | grep "${DELUGED}" | grep -v grep | awk '{print $1}'`
if [ "${DELUGED_PID}" = "" ] ; then DELUGED_PID=0 ; fi

DELUGE_WEB_PID=`ps ax | grep "${DELUGE_WEB}" | grep -v grep | awk '{print $1}'`
if [ "${DELUGE_WEB_PID}" = "" ] ; then DELUGE_WEB_PID=0 ; fi

case "$1" in
start)
if [ ! $DELUGED_PID -gt "0" ] ; then
deluged
nohup deluge-web > /dev/null 2>&1 &
touch $FLAG
$UPDATE_FIREWALL
exit 0
else
echo "Deluged is already running (PID $DELUGED_PID)"
exit 1
fi
;;

stop)
if [ ! $DELUGED_PID = "0" ] ; then
kill $DELUGED_PID
kill $DELUGE_WEB_PID
rm $FLAG
$UPDATE_FIREWALL
exit 0
else
echo "Deluged is not running"
exit 1
fi
;;

status)
if [ $DELUGED_PID -gt "0" ] ; then
ps ax | grep deluge | grep -v grep
exit 0
else
echo "Deluged is not running"
exit 0
fi
;;

*)
echo "Usage: torrents {start|stop|status}"
exit 1
;;
esac


The script will open/close ports on your firewall as required assuming you modify the UPDATE_FIREWALL variable with the correct location of your firewall script and modify that script to include something like this;
# Flush tables before re-applying ruleset
sudo /sbin/iptables --flush

# Bittorrent traffic
if [ -f /tmp/torrents_on ] ; then
sudo /sbin/iptables -A INPUT -p tcp --dport 58261 -j ACCEPT
sudo /sbin/iptables -A INPUT -p udp --dport 58261 -j ACCEPT
fi

#

# Drop all other traffic from WAN
sudo /sbin/iptables -A INPUT -i $WAN -j DROP
sudo /sbin/iptables -A FORWARD -i $WAN -j DROP

The above firewall script is for illustraion purposes and shouldn't be used as is. Make sure you modify use a script that suits your own network.

Once installed, you can now use the script to control deluged and the deluge web interface from the command line using this syntax;

torrents {start|stop|status}

Enjoy!

Thursday 2 June 2011

HOWTO: Compiz Themes Using Emerald

This is one of those things that is way harder to figure out than it should be. Getting Emerald working is extremely simple, when you know how.

Figuring out the "how" is the hard part.

Fortunately, for you, I've done the hard part.

The main problem is to do with a command "emerald --replace" which must be always running to enable Emerald themes to be used. There are a lot of guides and forum answers out on teh inter00bs that suggest adding the command as a "Startup Application" in System > Preferences. That doesn't work. Some other guides reckon you need something called "fusion-icon" running in your notifications tray. That may work too but it is not necessary.

Here's what to do.

Pre-requisites:
* Ubuntu or Debian desktop, I'm using Lucid x64 but that's not important.
* 3D graphics driver with Compiz enabled and working.

We'll start off by installing some packages;

sudo apt-get install emerald compizconfig-settings-manager

Open Compiz Settings Manager;

System > Preferences > CompizConfig Settings Manager

Click the "Effects" category

Ensure "Window Decoration" is ticked and then click it.

In the "Command" text box, take note that it currently says;

/usr/bin/compiz-decorator

Change the text so that it says;

/usr/bin/emerald --replace

And that my friends is the secret sauce to get things working properly!

Note:
To disable Emerald, simply return to here and click the "brush" icon at the RHS to restore the default setting

You can now exit compizconfig-settings-manager.

You will need to restart your X server at this point. The easiest way is to just restart the machine.

OK, once you have booted up again browse on over to
http://compiz-themes.org and grab yourself a theme.

With theme in hand, open the "Emerald Themer" application;

System > Preferences > Emerald Theme Manager

Import your theme using the "Import" button.

Once it's imported, the theme will appear in the theme list. Simply click it and watch your window decorations magically change.

Easy? Well, it should be.

Wednesday 1 June 2011

Purge Your System Of Mono

Updated 18/6/2012 for Mint 13 "Maya" / Ubuntu 12.04 "Precise"

If you are not overly happy with having a bastard child of Microsoft installed on your systems and the potential patent issues that may arise from its use then this simple one liner will purge your system of mono and anything that depends on it.

Make sure you read the list of packages to be removed that the apt-get command provides before you go ahead and do it.

sudo apt-get purge mono-4.0-gac

This will remove the following from your system.
The following packages will be REMOVED:
  banshee* libappindicator0.1-cil* libdbus-glib1.0-cil* libdbus1.0-cil* libgconf2.0-cil* libgdata1.9-cil*
  libgkeyfile1.0-cil* libglib2.0-cil* libgmime2.6-cil* libgtk-sharp-beans-cil* libgtk2.0-cil* libgudev1.0-cil*
  liblaunchpad-integration1.0-cil* libmono-addins-gui0.2-cil* libmono-addins0.2-cil* libmono-cairo4.0-cil*
  libmono-corlib4.0-cil* libmono-i18n-west4.0-cil* libmono-i18n4.0-cil* libmono-posix4.0-cil*
  libmono-security4.0-cil* libmono-sharpzip4.84-cil* libmono-system-configuration4.0-cil*
  libmono-system-core4.0-cil* libmono-system-drawing4.0-cil* libmono-system-security4.0-cil*
  libmono-system-xml4.0-cil* libmono-system4.0-cil* libmono-zeroconf1.0-cil* libnotify0.4-cil* libtaglib2.0-cil*
  mint-meta-cinnamon-dvd* mono-4.0-gac* mono-gac* mono-runtime* tomboy*
0 upgraded, 0 newly installed, 36 to remove and 0 not upgraded.
After this operation, 34.3 MB disk space will be freed.


If you are happy to lose that stuff, in particular the Banshee audio player then go ahead hit "y" to nuke Mono once and for all*

* Actually, next time you do a dist-upgrade you are likely to have the mono infection return to your system. In such cases just reapply this treatment.