mycroes

There's always time to play

Thursday, September 30, 2010

Updating Ubuntu without removing grub-efi

Ubuntu still is trying to remove grub-efi everytime a new kernel arrives. I have a Mac Mini without a display, so grub-pc is useless for me, so how do I prevent this grub-efi removal all the time?

Simple solution, just tell apt you also want to install grub-efi, regardless of the availability of a new version:
$ sudo apt-get install linux-generic-pae grub-efi
Reading package lists... Done
Building dependency tree       
Reading state information... Done
grub-efi is already the newest version.
The following extra packages will be installed:
  linux-image-2.6.35-22-generic-pae linux-image-generic-pae
Suggested packages:
  fdutils linux-doc-2.6.35 linux-source-2.6.35 linux-tools
Recommended packages:
  grub-pc grub lilo
The following NEW packages will be installed:
  linux-image-2.6.35-22-generic-pae
The following packages will be upgraded:
  linux-generic-pae linux-image-generic-pae
2 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 34.1MB of archives.
After this operation, 107MB of additional disk space will be used.
Do you want to continue [Y/n]?


And voila, grub-pc is a suggested package and no longer forced upon me! Thanks go out to Frank Groeneveld for suggesting the solution!
Geplaatst door Michael Croes op 11:02 AM 1 reacties
Labels: ,

Installing Samba 4 on Ubuntu Maverick (10.10)

Samba 4 is currently able to serve as a active directory domain controller for both Windows XP and Windows 7 (as tested by me) and probably for other Windows versions too. With Ubuntu 10.10 there finally is a recent enough version to make use of all the current Samba 4 functionality, however some issues still remain. This post will provide a short guide to setting up Samba 4 on your Ubuntu Maverick system, but it won't go into more advanced Samba topics. At first I wanted this to be a full step-by-step guide, however I can't find the time to complete it as such (I started writing when Maverick was in beta). I welcome comments adding more details and I hope everyone will be able to follow this howto.

Let's start by updating the system.
$ sudo apt-get update


Next add a PPA which includes a more recent Bind 9 version. I believe this is mainly needed so your Windows clients can send DNS updates to the domain controller, but I can't say I thoroughly tested with the Ubuntu Maverick distributed version.

Personally I used bind9 from Hauke Lampe's PPA (BIND 9 Updates : Hauke Lampe).

Install samba4 and bind9:
$ sudo apt-get install samba4 samba4-clients bind9


Move existing smb.conf:
$ sudo mv /etc/samba/smb.conf{,.old}


Create a samba 4 config and provision the database:
$ sudo LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/share/samba/setup/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller'

You might be wondering what this LD_PRELOAD is about, well it's needed because some stuff is missing the link to the dcerpc library.

Now we want to start samba, there's another issue ahead. The samba4 init script doesn't check for the existence of the samba directory in /var/run, so let's add that ourselves.
# /etc/init.d/samba4
...
  log_daemon_msg "Starting Samba 4 daemon" "samba"

  if [ ! -d $(dirname $SAMBAPID) ]; then
   mkdir -p $(dirname $SAMBAPID)
  fi

  if !...


We're still not there yet... Remember the missing library link? It will also return while running Samba, so let's work around it by creating local versions of the samba programs that will load the library:

Create /usr/local/sbin/samba:
#!/bin/sh
LD_PRELOAD=/usr/lib/libdcerpc.so.0.0.1 /usr/sbin/$(basename $0)


Now symlink samba_dnsupdate and samba_spnupdate to the same file:
$ sudo ln -s /usr/local/sbin/samba{,_dnsupdate}
$ sudo ln -s /usr/local/sbin/samba{,_spnupdate}


Now start samba:
$ sudo /etc/init.d/samba4 start


Let's do a quick test if it's working:
$ smbclient -UAdministrator -Llocalhost
Password for [SAMDOM\Administrator]:

 Sharename       Type       Comment
 ---------       ----       -------
 netlogon        Disk       
 sysvol          Disk       
 IPC$            IPC        IPC Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
 ADMIN$          Disk       DISK Service (Samba 4.0.0alpha12-GIT-UNKNOWN)
REWRITE: list servers not implemented

Seems to be working!

Now let's get DNS working too. Start by editing named.conf.local:
// /etc/bind/named.conf.local
...
//include "/etc/bind/zones.rfc1918";

include "/var/lib/samba/private/named.conf";

Thought we were done? Think again! AppArmor is protecting our samba4 files from bind, I'd rather have bind read them though...
# /etc/apparmor.d/usr.sbin.named
...
/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,
}

Reload AppArmor profiles and restart bind:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/bind9 restart

Bind should now start without any issues. Next is to actually use bind for DNS:
# /etc/resolv.conf
nameserver 127.0.0.1

You can verify it's working by querying dns for kerberos:
$ host -t SRV _kerberos._udp.samdom.example.com

This should return an SRV record, if not, something's broken!

Now let's move the Kerberos config into place:
$ sudo cp /var/lib/samba/private/krb5.conf /etc/


You can verify it's working by installing krb5-user and doing a kinit Administrator, but since Kerberos comes out of the box with samba, I'm assuming it's working (it always did for me).

If you chose to add a PPA with a recent Bind version, you can enable Kerberized DNS updates by pointing named to the correct principal and keytab. More details on this can be found on the Samba 4 howto, I will add my own details here later.



You should now be able to administer your Samba 4 domain controller using the microsoft utilities for windows server management, the Samba net tool or direct LDAP queries.

Updates

dec 8 2010, 22:56

Added missing apparmor policy changes

Geplaatst door Michael Croes op 10:54 AM 21 reacties
Labels: , , , , ,

Monday, September 6, 2010

Rsync and remote sudo

Running rsync with superuser privileges can be hard at times, but here's an easy solution works on Ubuntu 10.04 (some other solutions failed to work):
$  echo "password" | ssh sudo -S -v
$ sudo rsync -a -e ssh --rsync-path="sudo rsync"

The first line will touch the timestamp for sudo, the second line will really sync. Keep in mind that this doesn't take care of credentials for ssh, so you will need to take care of this using keys, agents or some external authentication mechanism like Kerberos.
Geplaatst door Michael Croes op 12:56 PM 1 reacties
Labels: , ,
Subscribe to: Posts (Atom)