The Hannibal fileserver offers its services to all kinds of workstations, e.g. GNU/Linux-platform, MacOSX-platform, Microsoft Windows-platform. A client can communicate to the server via several open standard protocols. At this moment the Hannibal fileserver offers NFS, SMB/CIFS, FTP and WebDAV.
======Prerequisites======
We want all the daemons on or fileserver to use the same LDAP based source of sign-on for user management.
So we need to have a LDAP-server and we need to configure PAM/NSSwitch on our server to connect to LDAP:
* Hannibal documentation on [[hannibal:fds|howto install a LDAP server]] for user authentication.
* Hannibal documentation on [[hannibal:ldap-auth|howto turn a server into a LDAP-client]].
=====NFS-protocol=====
====NFS-server====
Our fileserver can share (export) parts of it's storage to UNIX-based clients using the NFS-protocol. We chose the NFS kernel server over the userland NFS server for performance reasons.
Install the software:
apt-get install nfs-common nfs-kernel-server portmap
Define your NFS-exports in /etc/exports
#
/export/home 192.168.1.0/255.255.255.0(rw,async,wdelay,nohide,insecure,no_root_squash,subtree_check)
/export/home2 192.168.2.0/255.255.255.0(rw,async,wdelay,nohide,insecure,no_root_squash,subtree_check)
/export/home3 192.168.2.0/255.255.255.0(ro,async,wdelay,subtree_check)
#
Let the NFS-server use the new config
exportfs -r
You can view your NFS-exports issuing the commands: exportfs and showmount.
In case showmount mentions problems, also configure /etc/hosts.allow (and optionally /etc/hosts.deny):
#
ALL: 255.255.255.255 0.0.0.0
#
====NFS-client (incl. automounter)====
When UNIX-users log on to several servers in a network, you might want to provide them with a single home-dir which is available on all (UNIX)servers. This can be done using automount.
Install the software on the server (instance) that will mount the home-dir of it's users:
apt-get install nfs-common portmap autofs
Create /etc/auto.master
# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(5).
#
/home /etc/auto.home --timeout=600
#
Create /etc/auto.home
#
#* -fstype=nfs,vers=3,rsize=8192,wsize=8192,intr,fstype=nfs,soft,nosuid,tcp file.intra.example.com:/export/home/&
#
* -fstype=nfs,vers=3,rsize=8192,wsize=8192,timeo=14,intr,hard,tcp,nosuid,nfsvers=3,noatime file.intra.example.com:/export/home/&
#
As an alternative, add a line like this to /etc/fstab:
fileserver.intra.example.com:/home /home nfs intr,hard,nosuid,tcp,nfsvers=3,retrans=10,timeo=20,noatime,acdirmin=0,acdirmax=0,acregmax=10
or more simple:
fileserver.intra.example.com:/home /home nfs defaults,vers=3
When using NFS version 4 take /etc/idmapd.conf (and the startsetting in /etc/default/nfs-common) into account.
=====SMB/CIFS-protocol=====
====Samba version-3====
We used to run samba 3 in samba2-compatibility-mode. This was before we made the change to use the Fedora Directory Server as our preferred directory server. We keep some [[hannibal:samba_legacy|legacy documentation]] regarding samba 2 and the samba2-compatibility mode.
We assume you are running the Fedora Directory Server with the LDAP-scheme for samba 3. In the chapter on [[hannibal:fds|installing the Fedora Directory Server]] we already described the custom LDAP-scheme that is required for Samba 3 usage ([[61samba.ldif]]).
===Installation===
apt-get install samba samba-doc smbldap-tools
===Configuration===
Configure the /etc/samba/smb.conf file
[global]
workgroup = HANNIBAL
netbios name = FILESERVER
security = user
passdb backend = ldapsam:ldap://ldap.intra.example.com
ldap admin dn = cn=Directory Manager
ldap suffix = dc=intra,dc=example,dc=com
ldap user suffix = ou=People
ldap idmap suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = start tls
ldap delete dn = no
obey pam restrictions = no
encrypt passwords = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
add machine script = /usr/sbin/smbldap-useradd -w "%u"
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 255
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins support = yes
logon path =
logon drive = L:
template shell = /bin/false
winbind use default domain = no
[netlogon]
comment = Network Logon Service
path = /home/system/netlogon
read only = yes
browseable = no
[homes]
comment = Home Directories
browseable = no
read only = no
guest ok = no
create mode = 0664
directory mode = 0775
# Example share
#[research]
# comment = Research Share
# path = /home/research
# write list = @research,@staff
# valid users = @research,@staff
# force group = "research"
# create mode = 664
# directory mode = 775
Create the netlogon directory
mkdir -p /home/system/netlogon
Specify the password to be used with the ldap admin dn. Note that the password is stored in /var/lib/samba/secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.
smbpasswd -w rootdn_password_here
We have to reconfigure pam so that is will bind as the rootdn to the directory server whenever the user root needs to make a connection to the directory server.
Create a /etc/ldap.secret file and a /etc/pam_ldap.secret file that contain your rootdn_password. Since there is privacy information in these files you should only allow the user root to read them.
echo rootdn_password_here > /etc/ldap.secret
chmod 600 /etc/ldap.secret
ln -s /etc/ldap.secret /etc/pam_ldap.secret
Add a line like this to /etc/libnss-ldap.conf and /etc/pam_ldap.conf
...
rootbinddn cn=Directory Manager
...
Restart the Samba-server
/etc/init.d/samba restart
Configure the smbldap-tools
Create a file /etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Directory Manager"
slavePw="rootdn_password_here"
masterDN="cn=Directory Manager"
masterPw="rootdn_password_here"
As this file contains privacy information, secure it
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
Create a file /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-2716392939-2958722027-3681302686"
slaveLDAP="ldap.intra.example.com"
slavePort="389"
masterLDAP="ldap.intra.example.com"
masterPort="389"
ldapTLS="1"
verify="optional"
cafile="/etc/ldap/cacerts/5be5959f.0"
suffix="dc=intra,dc=example,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=HANNIBAL,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="99"
userSmbHome="\\FILESERVER\home\%U"
userProfile="\\FILESERVER\profiles\%U"
userHomeDrive="L:"
userScript="%U.cmd"
mailDomain="intra.example.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
You can get the SID-entry for your configuration by running
net getlocalsid
Put the output in the /etc/smbldap-tools/smbldap.conf file
===Post-configuration===
Now let's fill the directory server with the necessary entries for Samba. Run the command:
smbldap-populate
The current version of smbldap-populate also applies some Samba to Linux groupmappings.
You can verify them issuing:
net groupmap list
Otherwise, manual application of groupmappings goes like so:
net groupmap add rid=512 ntgroup='Domain Admins' unixgroup='Domain Admins'
net groupmap add rid=513 ntgroup='Domain Users' unixgroup='Domain Users'
net groupmap add rid=514 ntgroup='Domain Guests' unixgroup='Domain Guests'
net groupmap add rid=515 ntgroup='Domain Computers' unixgroup='Domain Computers'
Create an account for usage whenever you add a machine account to your domain using the MS Windows join domain dialog. This account should have uidNumber=0 and gidNumber=0, so you could just use the unix root-account for this. However we prefer to use this special account 'admsamba' which has no further use on the unix system apart from Samba.
smbldap-useradd -a -d /dev/null -P -s /bin/false admsamba
We have to make sure that this account has a User SID value of 500 and a primary Group SID of 512.
pdbedit -U $( net getlocalsid | sed 's/SID for domain FILESERVER is: //' )-500 -u admsamba -r
pdbedit -G $( net getlocalsid | sed 's/SID for domain FILESERVER is: //' )-512 -u admsamba -r
You should set the values uidNumber=0 and gidNumber=0 in LDAP yourself using a LDAP-client. You can't use the smbldap-tools for this as the root-account itself already has these values in LDAP.
Accounts for your users can be added like so
smbldap-useradd -a -d /home/firstuser -m -s /bin/bash firstuser
smbldap-passwd firstuser
=====FTP-protocol=====
We use the Proftpd software as it is fast and scalable software that supports PAM and SSL/TLS. Via the PAM construction, the LDAP Directory is used (the proftp with ldap-patch is not used here).
====Installation====
apt-get install proftpd proftpd-doc
====Configuration====
Edit the main configuration file /etc/proftpd/proftpd.conf
ServerName "ftpserver"
ServerType standalone
DeferWelcome off
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
AllowOverwrite on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"
DenyFilter \*.*/
PersistentPasswd off
TLSEngine on
TLSProtocol TLSv1
TLSRequired on
TLSRSACertificateFile /etc/proftpd/tls/ftpcert.pem
TLSRSACertificateKeyFile /etc/proftpd/tls/ftpkey.pem
TLSCACertificateFile /etc/proftpd/tls/cacert.pem
TLSVerifyClient off
Port 21
MaxInstances 30
User nobody
Group nogroup
DefaultRoot ~
Umask 022 022
AllowOverwrite on
Configure proftpd's pam-module for LDAP, /etc/pam.d/proftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-auth
# This is disabled because anonymous logins will fail otherwise,
# unless you give the 'ftp' user a valid shell, or /bin/false and add
# /bin/false to /etc/shells.
#auth required pam_shells.so
@include common-account
@include common-session
If you want to only grant FTP-access to members of a specific group then you could use the module pam_succeed_if. Adjust /etc/pam.d/proftpd to look like this:
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-auth
# This is disabled because anonymous logins will fail otherwise,
# unless you give the 'ftp' user a valid shell, or /bin/false and add
# /bin/false to /etc/shells.
#auth required pam_shells.so
account required pam_succeed_if.so user ingroup ftpusers
@include common-account
@include common-session
Create a directory for proftpd's certificates
mkdir -p /etc/proftpd/tls
The OpenSSL section in this document describes howto create certificates. Create them now and copy them to /etc/proftpd/tls. Make sure that their names correspond to the names in proftpd.conf.
Check 'RUN=yes' in /etc/default/proftpd # this should be the default.
Restart the ProFTPd-server
/etc/init.d/proftpd restart
Now a SSL/TLS connection is required for FTP to work. Without it you receive an '550 SSL/TLS required on the control channel' error.
=====WebDAV=====
The webdav-protocol allows filetransfers over the HTTP-protocol. You can use a webbrowser that supports webdav, the cadaver cli-client (apt-get install cadaver) or another webdav-client to make a connection. For details see http://www.webdav.org
====Installation====
The Debian package 'apache2' contains support for building a webdav-server since Debian Sarge.
apt-get install apache2
====Configuration====
Check the configfile /etc/apache2/mods-available/dav_fs.conf
DAVLockDB /var/lock/apache2/DAVLock
Check the configfile /etc/apache2/mods-available/dav_fs.load
LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so
Enable the dav_fs module
a2enmod dav_fs
/etc/init.d/apache2 force-reload
Let's make a directory available for webdav-uploads.
mkdir /var/www/uploads
chown -R www-data /var/www/uploads
Create a configfile /etc/apache2/sites-available/uploads. This configuration will enable the directory /var/www/uploads as the virtual directory /webdav in Apache:
Alias /webdav /var/www/uploads
Dav On
AuthType Basic
AuthName 'Hannibal Uploads'
AuthLDAPUrl ldap://ldap.intra.example.com/ou=People,dc=intra,dc=example,dc=com?uid?sub
AllowOverride AuthConfig
require valid-user
#require group cn=webdavgrp,ou=groups
#require filter "(&(webdav=yes)(webdavgrp=upload))"
Enable the new configuration:
a2ensite uploads
/etc/init.d/apache2 force-reload
Now point you webdav-client of choise to http://yourwebserver/webdav and you should be prompted for login.
====ssl====
Create an Apache config. Use IP-based virtual hosting.
Duplicate this config, for every extra virtual webdav server. Use an extra IP-number and set of SSLcertificates for for each webdav server.
ServerName webdav.example.com
ServerAdmin webdavmaster@example.com
DocumentRoot /var/webdav.example.com/htdocs
Options FollowSymLinks
AllowOverride None
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName webdav.example.com
DocumentRoot /var/webdav.example.com/slash
#
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /var/webdav.example.com/ssl/webdav.example.com_cert.pem
SSLCertificateKeyFile /var/webdav.example.com/ssl/webdav.example.com_priv-key.pem
SSLCACertificateFile /var/webdav.example.com/ssl/ExampleCA_ca-pub-key-cert.pem
#
#DAVLockDB /tmp/DAVLock
DAVMinTimeout 180
LogLevel warn
#
Alias /hannibal /var/webdav.example.com/hannibal
Dav On
AuthType Basic
AuthName "Solstice webdavshare voor Hannibal project"
AuthUserFile /var/webdav.example.com/hannibal.htpasswd
require valid-user
#
# ## for browser-access:
Options +Indexes
IndexIgnore ..
IndexOptions -IconsAreLinks NameWidth=* FancyIndexing SuppressLastModified FoldersFirst
IndexOrderDefault Ascending Name
====clients====
===OSX===
This is build in.
Finder -> Go -> connect to server: https://webdav.example.com/hannibal
===Linux===
Install the module and userspace tooling:
apt-get install davfs2
Make the mount:
mount -t davfs https://webdav.example.com/hannibal /home/luc/webdav-hannibal -o uid=1234,gid=1234
===MS-win===
Use ms-vista or newer, and add the CA-cert public key to the system store first.
Now make the connection and map a driveletter:
net use W: https://webdav.example.com/hannibal /user:luc