~ubuntu-branches/ubuntu/jaunty/ubuntu-docs/jaunty-proposed

* Various serverguide fixes:
  - Grammar error (LP: #203829) - Dean Sas
  - Fix mailman dependencies (LP: #291772) - Morten Siebuhr
  - CVS installation error (LP: #298605) - Thomas M
  - Postfox installation error (LP: #306289) - Adam Sommer
  - SSH update (LP: #311900) - Dean Sas
  - unzoo replaced by zoo (LP: #312506)
  - Samba instructions update (LP: #313232) - Adam Sommer
  - Clearer SSL instructions (LP: #314951) - Adam Sommer
  - LDAP error (LP: #319179) - Adam Sommer
  - MoinMoin installation fix (LP: #320840) - Adam Sommer
  - Postfix ssl improvements (LP: #323203) - Adam Sommer
  - Ebox instructions error (LP: #324399) - Dean Sas
  - Typo in openssh section (LP: #325828) - Dean Sas
  - Typo in samba section (LP: #285484) - Nick Ellery
  - SSHD fix (LP: #295279) - Adam Sommer
  - Jeos fix (LP: #307582) - Adam Sommer
  - Remove reference to ebox-all package (LP: #322367) - Adam Sommer

* Typo in "switching from windows" (LP: #309735)
* Broken link in "programming" (LP: #310081) - Jonathan Jesse
* lsb_release issue in "basic commands" (LP: #310713) - Thomas M
* Updating logout instructions (LP: #327060) - Dean Sas
* Updating all documents to use apt-url for installation instructions
* Refreshing pot files for Rosetta
* Recompress *.png files with 'advpng -z -4 file.png' to save space -  Sahak Petrosyan
* Improve instructions on pasting commands (LP: #185892) - Martin Mai
* Rewrite of networking instructions (LP: #298513, LP: #321308, LP: #314680, LP: #321179) - Dougie Richardson
* Amend punctuation of about-ubuntu (LP: #275592) - Dougie Richardson
* Documentation for automatic login (LP: #290467) - Dougie Richardson

files added:
internet/C/connecttoserver.xml

internet/C/disconnecting.xml

internet/C/information.xml

internet/C/nm.xml

serverguide/C/clustering.xml

serverguide/C/other-apps.xml

files removed:
internet/C/connect.xml

files modified:
about-ubuntu/C/about-ubuntu.xml

about-ubuntu/po/about-ubuntu.pot

add-applications/C/add-applications.xml

add-applications/po/add-applications.pot

administrative/po/administrative.pot

advanced-topics/po/advanced-topics.pot

basic-commands/C/basic-commands.xml

basic-commands/po/basic-commands.pot

browser-startpage/img/header.png

browser-startpage/img/headerlogo.png

config-desktop/C/config-desktop.xml

config-desktop/po/config-desktop.pot

debian/changelog

desktop-effects/C/desktop-effects.xml

desktop-effects/po/desktop-effects.pot

files-and-docs/po/files-and-docs.pot

games/C/games.xml

games/po/games.pot

hardware/C/hardware.xml

hardware/po/hardware.pot

internet/C/basics.xml

internet/C/connecting.xml

internet/C/internet.xml

internet/C/networking.xml

internet/C/troubleshooting.xml

internet/C/web-apps.xml

internet/C/wireless.xml

internet/po/internet.pot

keeping-safe/C/keeping-safe.xml

keeping-safe/po/keeping-safe.pot

libs/admon/caution.png

libs/admon/important.png

libs/admon/tip.png

libs/admon/warning.png

libs/gnome-menus-C.ent

libs/img/bg-content.png

libs/img/cap-bottom.png

libs/img/cap-top.png

libs/img/headerlogo.png

libs/img/help-about.png

libs/img/tab_off_ns1.png

libs/img/tab_off_ns2.png

libs/img/tab_on_ns1.png

libs/img/tab_on_ns2.png

libs/img/ubuntuheader.png

libs/navig/home.png

libs/navig/next.png

libs/navig/prev.png

libs/navig/toc-blank.png

libs/navig/up.png

libs/ubuntu-book.css

musicvideophotos/C/musicvideophotos.xml

musicvideophotos/po/musicvideophotos.pot

newtoubuntu/po/newtoubuntu.pot

office/C/office.xml

office/po/office.pot

printing/C/printing.xml

printing/po/printing.pot

programming/C/programming.xml

programming/po/programming.pot

serverguide/C/dns.xml

serverguide/C/file-server.xml

serverguide/C/installation.xml

serverguide/C/lamp-applications.xml

serverguide/C/mail.xml

serverguide/C/network-auth.xml

serverguide/C/network-config.xml

serverguide/C/package-management.xml

serverguide/C/remote-administration.xml

serverguide/C/security.xml

serverguide/C/serverguide.xml

serverguide/C/vcs.xml

serverguide/C/virtualization.xml

serverguide/C/web-servers.xml

serverguide/C/windows-networking.xml

serverguide/po/serverguide.pot

switching/C/installing.xml

switching/C/whyswitch.xml

windows/C/glossary.xml

windows/po/windows.pot

Show diffs side-by-side

added added

removed removed

serverguide/C/network-auth.xml

319

</para>

320

321

322

<command>ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif</command>

322

<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{8\}misc.ldif</command>

323

</screen>

324

325

</step>

591

dn: olcDatabase={1}hdb,cn=config

592

changetype: modify

593

add: olcRootDN

594

olcRootDN: cn=admin,dc=example,dc=edu

594

olcRootDN: cn=admin,dc=example,dc=com

595

596

add: olcSyncRepl

597

olcSyncRepl: rid=003 provider=ldap://ldap01.example.com binddn="cn=admin,dc=example,dc=com"

664

<para>

665

The <application>slapd</application> daemon will send log information to <filename>/var/log/syslog</filename>

666

by default. So if all does <emphasis>not</emphasis> go well check there for errors and other troubleshooting information.

667

Also, be sure that each server knows it's Fully Qualified Domain Name (FQDN). This is configured in <filename>/etc/hosts</filename>

668

with a line similar to: <programlisting>127.0.0.1 ldap01.example.com ldap01</programlisting>.

667

669

</para>

668

670

</note>

669

671

920

922

</para>

921

923

922

924

923

<command>sudo auth-client-config -a -p lac_ldap</command>

925

<command>sudo auth-client-config -t nss -p lac_ldap</command>

924

926

</screen>

925

927

926

928

927

929

928

930

<para>

929

<emphasis>-a:</emphasis> applies the specified profile.

931

<emphasis>-t:</emphasis> only modifies <filename>/etc/nsswitch.conf</filename>.

930

932

</para>

931

933

</listitem>

932

934

943

945

</itemizedlist>

944

946

945

947

<para>

948

Using the <application>pam-auth-update</application>, configure the system to use LDAP for authentication:

949

</para>

950

951

952

<command>sudo pam-auth-update ldap</command>

953

</screen>

954

955

<para>

956

From the <application>pam-auth-update</application> menu, choose LDAP and any other authentication mechanisms you need.

957

</para>

958

959

<para>

946

960

You should now be able to login using user credentials stored in the LDAP directory.

947

961

</para>

948

962

1346

1360

</para>

1347

1361

1348

1362

1349

<command>ldapadd -x -D cn=admin,cn=config -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}misc.ldif</command>

1363

<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}samba.ldif</command>

1350

1364

</screen>

1351

1365

1352

1366

</step>

1473

1487

ldap user suffix = ou=People

1474

1488

ldap group suffix = ou=Groups

1475

1489

ldap machine suffix = ou=Computers

1476

ldap idmap suffix = dc=example,dc=com

1490

ldap idmap suffix = ou=Idmap

1477

1491

ldap admin dn = cn=admin,dc=example,dc=com

1478

1492

ldap ssl = start tls

1479

1493

ldap passwd sync = yes

2223

2237

2224

2238

</sect2>

2225

2239

</sect1>

2240

2241

<title>Kerberos and LDAP</title>

2242

2243

<para>

2244

Replicating a Kerberos principal database between two servers can be complicated, and adds an additional user

2245

database to your network. Fortunately, MIT Kerberos can be configured to use an <application>LDAP</application>

2246

directory as a principal database. This section covers configuring a primary and secondary kerberos server to use

2247

<application>OpenLDAP</application> for the principal database.

2248

</para>

2249

2250

2251

<title>Configuring OpenLDAP</title>

2252

2253

<para>

2254

First, the necessary <emphasis>schema</emphasis> needs to be loaded on an <application>OpenLDAP</application> server that has

2255

network connectivity to the Primary and Secondary KDCs. The rest of this section assumes that you also have LDAP replication

2256

configured between at least two servers. For information on setting up OpenLDAP see <xref linkend="openldap-server"/>.

2257

</para>

2258

2259

<note>

2260

<para>

2261

It is recommended to configure OpenLDAP for TLS and SSL connections, so that traffic between the KDC and LDAP server is encrypted.

2262

See <xref linkend="openldap-tls"/> for details.

2263

</para>

2264

</note>

2265

2266

2267

2268

<para>

2269

To load the schema into LDAP, on the LDAP server install the <application>krb5-kdc-ldap</application> package.

2270

From a terminal enter:

2271

</para>

2272

2273

2274

<command>sudo apt-get install krb5-kdc-ldap</command>

2275

</screen>

2276

2277

</listitem>

2278

2279

<para>

2280

Next, extract the <filename>kerberos.schema.gz</filename> file:

2281

</para>

2282

2283

2284

<command>sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz</command>

2285

<command>sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/</command>

2286

</screen>

2287

2288

</listitem>

2289

2290

2291

<para>

2292

The <emphasis>kerberos</emphasis> schema needs to be added to the <emphasis>cn=config</emphasis> tree.

2293

The procedure to add a new schema to <application>slapd</application> is also detailed in

2294

<xref linkend="openldap-configuration"/>.

2295

</para>

2296

2297

2298

<step>

2299

<para>

2300

First, create a configuration file named <filename>schema_convert.conf</filename>, or a similar

2301

descriptive name, containing the following lines:

2302

</para>

2303

2304

2305

include /etc/ldap/schema/core.schema

2306

include /etc/ldap/schema/collective.schema

2307

include /etc/ldap/schema/corba.schema

2308

include /etc/ldap/schema/cosine.schema

2309

include /etc/ldap/schema/duaconf.schema

2310

include /etc/ldap/schema/dyngroup.schema

2311

include /etc/ldap/schema/inetorgperson.schema

2312

include /etc/ldap/schema/java.schema

2313

include /etc/ldap/schema/misc.schema

2314

include /etc/ldap/schema/nis.schema

2315

include /etc/ldap/schema/openldap.schema

2316

include /etc/ldap/schema/ppolicy.schema

2317

include /etc/ldap/schema/kerberos.schema

2318

</programlisting>

2319

2320

2321

</step>

2322

<step>

2323

2324

<para>

2325

Create a temporary directory to hold the LDIF files:

2326

</para>

2327

2328

<command>mkdir /tmp/ldif_output</command>

2329

</screen>

2330

2331

</step>

2332

<step>

2333

2334

<para>

2335

Now use <application>slaptest</application> to convert the schema files:

2336

</para>

2337

2338

2339

<command>slaptest -f schema_convert.conf -F /tmp/ldif_output</command>

2340

</screen>

2341

2342

<para>

2343

Change the above file and path names to match your own if they are different.

2344

</para>

2345

2346

</step>

2347

<step>

2348

2349

<para>

2350

Edit the generated <filename>/tmp/ldif_output/cn=config/cn=schema/cn={12}kerberos.ldif</filename>

2351

file, changing the following attributes:

2352

</para>

2353

2354

2355

dn: cn=kerberos,cn=schema,cn=config

2356

...

2357

cn: kerberos

2358

</programlisting>

2359

2360

<para>

2361

And remove the following lines from the end of the file:

2362

</para>

2363

2364

2365

structuralObjectClass: olcSchemaConfig

2366

entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc

2367

creatorsName: cn=config

2368

createTimestamp: 20090111203515Z

2369

entryCSN: 20090111203515.326445Z#000000#000#000000

2370

modifiersName: cn=config

2371

modifyTimestamp: 20090111203515Z

2372

</programlisting>

2373

2374

<note>

2375

<para>

2376

The attribute values will vary, just be sure the attributes are removed.

2377

</para>

2378

</note>

2379

2380

</step>

2381

<step>

2382

2383

<para>

2384

Finally, load the new schema with <application>ldapadd</application>:

2385

</para>

2386

2387

2388

<command>ldapadd -x -D cn=admin,cn=config -W -f /tmp/ldif_output/cn\=config/cn\=schema/cn\=\{12\}kerberos.ldif</command>

2389

</screen>

2390

2391

</step>

2392

</procedure>

2393

</listitem>

2394

</itemizedlist>

2395

2396

<para>

2397

That's it, your LDAP directory is now ready to serve as a Kerberos principal database.

2398

</para>

2399

2400

</sect2>

2401

2402

<title>Primary KDC Configuration</title>

2403

2404

<para>

2405

With <application>OpenLDAP</application> configured it is time to configure the KDC.

2406

</para>

2407

2408

2409

2410

<para>

2411

First, install the necessary packages, from a terminal enter:

2412

</para>

2413

2414

2415

<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command>

2416

</screen>

2417

2418

</listitem>

2419

2420

2421

<para>

2422

Now edit <filename>/etc/krb5.conf</filename> adding the following options to under the appropriate sections:

2423

</para>

2424

2425

2426

[libdefaults]

2427

default_realm = EXAMPLE.COM

2428

2429

...

2430

2431

[realms]

2432

EXAMPLE.COM = {

2433

kdc = kdc01.example.com

2434

kdc = kdc02.example.com

2435

admin_server = kdc01.example.com

2436

admin_server = kdc02.example.com

2437

default_domain = example.com

2438

database_module = openldap_ldapconf

2439

}

2440

2441

...

2442

2443

[domain_realm]

2444

.example.com = EXAMPLE.COM

2445

2446

2447

...

2448

2449

[dbdefaults]

2450

ldap_kerberos_container_dn = dc=example,dc=com

2451

2452

[dbmodules]

2453

openldap_ldapconf = {

2454

db_library = kldap

2455

ldap_kdc_dn = "cn=admin,dc=example,dc=com"

2456

2457

# this object needs to have read rights on

2458

# the realm container, principal container and realm sub-trees

2459

ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

2460

2461

# this object needs to have read and write rights on

2462

# the realm container, principal container and realm sub-trees

2463

ldap_service_password_file = /etc/krb5kdc/service.keyfile

2464

ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com

2465

ldap_conns_per_server = 5

2466

}

2467

</programlisting>

2468

2469

<note>

2470

<para>

2471

Change <emphasis>example.com</emphasis>, <emphasis>dc=example,dc=com</emphasis>, <emphasis>cn=admin,dc=example,dc=com</emphasis>,

2472

and <emphasis>ldap01.example.com</emphasis> to the appropriate domain, LDAP object, and LDAP server for your network.

2473

</para>

2474

</note>

2475

2476

</listitem>

2477

2478

2479

<para>

2480

Next, use the <application>kdb5_ldap_util</application> utility to create the realm:

2481

</para>

2482

2483

2484

<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com</command>

2485

</screen>

2486

2487

</listitem>

2488

2489

2490

<para>

2491

Create a stash of the password used to bind to the LDAP server. This password is used by the <emphasis>ldap_kdc_dn</emphasis> and

2492

<emphasis>ldap_kadmin_dn</emphasis> options in <filename>/etc/krb5.conf</filename>:

2493

</para>

2494

2495

2496

<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>

2497

</screen>

2498

2499

</listitem>

2500

2501

2502

<para>

2503

Finally, add an index for the <emphasis>krb5principalname</emphasis> attribute:

2504

</para>

2505

2506

2507

<command>ldapmodify -x -D cn=admin,cn=config -W</command>

2508

<computeroutput>Enter LDAP Password:

2509

<userinput>dn: olcDatabase={1}hdb,cn=config

2510

add: olcDbIndex

2511

olcDbIndex: krbPrincipalName eq,pres,sub</userinput>

2512

2513

modifying entry "olcDatabase={1}hdb,cn=config"</computeroutput>

2514

</screen>

2515

2516

</listitem>

2517

</itemizedlist>

2518

2519

<para>

2520

You can now add Kerberos principals to the LDAP database, and they will be copied to any other LDAP servers configured for replication.

2521

To add a principal using the <application>kadmin.local</application> utility enter:

2522

</para>

2523

2524

2525

<command>sudo kadmin.local</command>

2526

<computeroutput>Authenticating as principal root/admin@EXAMPLE.COM with password.

2527

kadmin.local: <userinput>addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve</userinput>

2528

WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy

2529

Enter password for principal "steve@EXAMPLE.COM":

2530

Re-enter password for principal "steve@EXAMPLE.COM":

2531

Principal "steve@EXAMPLE.COM" created.</computeroutput>

2532

</screen>

2533

2534

<para>

2535

There should now be krbPrincipalName, krbPrincipalKey, krbLastPwdChange, and krbExtraData attributes added to the

2536

<emphasis>uid=steve,ou=people,dc=example,dc=com</emphasis> user object. Use the <application>kinit</application> and

2537

<application>klist</application> utilities to test that the user is indeed issued a ticket.

2538

</para>

2539

2540

<note>

2541

<para>

2542

If the user object is already created the <emphasis>-x dn="..."</emphasis> option is needed to add the Kerberos attributes.

2543

Otherwise a new <emphasis>principal</emphasis> object will be created in the realm subtree.

2544

</para>

2545

</note>

2546

2547

</sect2>

2548

2549

<title>Secondary KDC Configuration</title>

2550

2551

<para>

2552

Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database.

2553

</para>

2554

2555

2556

2557

<para>

2558

First, install the necessary packages. In a terminal enter:

2559

</para>

2560

2561

2562

<command>sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap</command>

2563

</screen>

2564

2565

</listitem>

2566

2567

2568

<para>

2569

Next, edit <filename>/etc/krb5.conf</filename> to use the LDAP backend:

2570

</para>

2571

2572

2573

[libdefaults]

2574

default_realm = EXAMPLE.COM

2575

2576

...

2577

2578

[realms]

2579

EXAMPLE.COM = {

2580

kdc = kdc01.example.com

2581

kdc = kdc02.example.com

2582

admin_server = kdc01.example.com

2583

admin_server = kdc02.example.com

2584

default_domain = example.com

2585

database_module = openldap_ldapconf

2586

}

2587

2588

...

2589

2590

[domain_realm]

2591

.example.com = EXAMPLE.COM

2592

2593

...

2594

2595

[dbdefaults]

2596

ldap_kerberos_container_dn = dc=example,dc=com

2597

2598

[dbmodules]

2599

openldap_ldapconf = {

2600

db_library = kldap

2601

ldap_kdc_dn = "cn=admin,dc=example,dc=com"

2602

2603

# this object needs to have read rights on

2604

# the realm container, principal container and realm sub-trees

2605

ldap_kadmind_dn = "cn=admin,dc=example,dc=com"

2606

2607

# this object needs to have read and write rights on

2608

# the realm container, principal container and realm sub-trees

2609

ldap_service_password_file = /etc/krb5kdc/service.keyfile

2610

ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com

2611

ldap_conns_per_server = 5

2612

}

2613

</programlisting>

2614

2615

2616

</listitem>

2617

2618

2619

<para>

2620

Create the stash for the LDAP bind password:

2621

</para>

2622

2623

2624

<command>sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com</command>

2625

</screen>

2626

2627

</listitem>

2628

2629

2630

<para>

2631

Now, on the <emphasis>Primary KDC</emphasis> copy the <filename>/etc/krb5kdc/.k5.EXAMPLE.COM</filename>

2632

<emphasis>Master Key</emphasis> stash to the Secondary KDC. Be sure to copy the file over an encrypted

2633

connection such as <application>scp</application>, or on physical media.

2634

</para>

2635

2636

2637

<command>sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~</command>

2638

<command>sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/</command>

2639

</screen>

2640

2641

<note>

2642

<para>

2643

Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm.

2644

</para>

2645

</note>

2646

2647

</listitem>

2648

2649

2650

<para>

2651

Finally, start the <application>krb5-kdc</application> daemon:

2652

</para>

2653

2654

2655

<command>sudo /etc/init.d/krb5-kdc start</command>

2656

</screen>

2657

2658

</listitem>

2659

</itemizedlist>

2660

2661

<para>

2662

You now have redundant KDCs on your network, and with redundant LDAP servers you should be able to

2663

continue to authenticate users if one LDAP server, one Kerberos server, or one LDAP and one Kerberos

2664

server become unavailable.

2665

</para>

2666

2667

</sect2>

2668

2669

<title>Resources</title>

2670

2671

2672

2673

<para>

2674

The <ulink url="http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend">

2675

Kerberos Admin Guide</ulink> has some additional details.

2676

</para>

2677

</listitem>

2678

2679

<para>

2680

For more information on <application>kdb5_ldap_util</application> see

2681

2682

Section 5.6</ulink> and the

2683

<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man8/kdb5_ldap_util.8.html">kdb5_ldap_util man page</ulink>.

2684

</para>

2685

</listitem>

2686

2687

<para>

2688

Another useful link is the <ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man5/krb5.conf.5.html">krb5.conf man page</ulink>.

2689

</para>

2690

</listitem>

2691

</itemizedlist>

2692

2693

</sect2>

2694

</sect1>

2226

2695

</chapter>

Older »