Table of Contents

The Hannibal fileserver offers its services to all kinds of workstations, e.g. GNU/Linux-platform, MacOSX-platform, Microsoft Windows-platform. A client can communicate to the server via several open standard protocols. At this moment the Hannibal fileserver offers NFS, SMB/CIFS, FTP and WebDAV.

Prerequisites

We want all the daemons on or fileserver to use the same LDAP based source of sign-on for user management. So we need to have a LDAP-server and we need to configure PAM/NSSwitch on our server to connect to LDAP:

NFS-protocol

NFS-server

Our fileserver can share (export) parts of it's storage to UNIX-based clients using the NFS-protocol. We chose the NFS kernel server over the userland NFS server for performance reasons.

Install the software:

apt-get install nfs-common nfs-kernel-server portmap

Define your NFS-exports in /etc/exports

#
/export/home   192.168.1.0/255.255.255.0(rw,async,wdelay,nohide,insecure,no_root_squash,subtree_check)
/export/home2  192.168.2.0/255.255.255.0(rw,async,wdelay,nohide,insecure,no_root_squash,subtree_check)
/export/home3  192.168.2.0/255.255.255.0(ro,async,wdelay,subtree_check)
#

Let the NFS-server use the new config

exportfs -r

You can view your NFS-exports issuing the commands: exportfs and showmount.

In case showmount mentions problems, also configure /etc/hosts.allow (and optionally /etc/hosts.deny):

#
ALL: 255.255.255.255 0.0.0.0
#

NFS-client (incl. automounter)

When UNIX-users log on to several servers in a network, you might want to provide them with a single home-dir which is available on all (UNIX)servers. This can be done using automount.

Install the software on the server (instance) that will mount the home-dir of it's users:

apt-get install nfs-common portmap autofs

Create /etc/auto.master

# $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $
# Sample auto.master file
# Format of this file:
# mountpoint map options
# For details of the format look at autofs(5).
#
/home   /etc/auto.home  --timeout=600
#

Create /etc/auto.home

#
#*   -fstype=nfs,vers=3,rsize=8192,wsize=8192,intr,fstype=nfs,soft,nosuid,tcp                  file.intra.example.com:/export/home/&
#
*  -fstype=nfs,vers=3,rsize=8192,wsize=8192,timeo=14,intr,hard,tcp,nosuid,nfsvers=3,noatime    file.intra.example.com:/export/home/&
#

As an alternative, add a line like this to /etc/fstab:

fileserver.intra.example.com:/home  /home  nfs intr,hard,nosuid,tcp,nfsvers=3,retrans=10,timeo=20,noatime,acdirmin=0,acdirmax=0,acregmax=10

or more simple:

fileserver.intra.example.com:/home  /home  nfs defaults,vers=3

When using NFS version 4 take /etc/idmapd.conf (and the startsetting in /etc/default/nfs-common) into account.

SMB/CIFS-protocol

Samba version-3

We used to run samba 3 in samba2-compatibility-mode. This was before we made the change to use the Fedora Directory Server as our preferred directory server. We keep some legacy documentation regarding samba 2 and the samba2-compatibility mode.

We assume you are running the Fedora Directory Server with the LDAP-scheme for samba 3. In the chapter on installing the Fedora Directory Server we already described the custom LDAP-scheme that is required for Samba 3 usage (61samba.ldif).

Installation

apt-get install samba samba-doc smbldap-tools

Configuration

Configure the /etc/samba/smb.conf file

[global]
workgroup = HANNIBAL
netbios name = FILESERVER
security = user
passdb backend = ldapsam:ldap://ldap.intra.example.com
ldap admin dn = cn=Directory Manager
ldap suffix = dc=intra,dc=example,dc=com
ldap user suffix = ou=People
ldap idmap suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap ssl = start tls
ldap delete dn = no
obey pam restrictions = no
encrypt passwords = yes
ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
add machine script = /usr/sbin/smbldap-useradd -w "%u"
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 255
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins support = yes
logon path =
logon drive = L:
template shell = /bin/false
winbind use default domain = no
 
[netlogon]
    comment = Network Logon Service
    path = /home/system/netlogon
    read only = yes 
    browseable = no
 
[homes]
    comment = Home Directories
    browseable = no 
    read only = no
    guest ok = no 
    create mode = 0664
    directory mode = 0775
 
# Example share
#[research]
#   comment = Research Share
#   path = /home/research
#   write list = @research,@staff
#   valid users = @research,@staff
#   force group = "research"
#   create mode = 664
#   directory mode = 775

Create the netlogon directory

mkdir -p /home/system/netlogon

Specify the password to be used with the ldap admin dn. Note that the password is stored in /var/lib/samba/secrets.tdb and is keyed off of the admin's DN. This means that if the value of ldap admin dn ever changes, the password will need to be manually updated as well.

smbpasswd -w rootdn_password_here

We have to reconfigure pam so that is will bind as the rootdn to the directory server whenever the user root needs to make a connection to the directory server. Create a /etc/ldap.secret file and a /etc/pam_ldap.secret file that contain your rootdn_password. Since there is privacy information in these files you should only allow the user root to read them.

echo rootdn_password_here > /etc/ldap.secret
chmod 600 /etc/ldap.secret
ln -s /etc/ldap.secret /etc/pam_ldap.secret

Add a line like this to /etc/libnss-ldap.conf and /etc/pam_ldap.conf

...
rootbinddn cn=Directory Manager
...

Restart the Samba-server

/etc/init.d/samba restart

Configure the smbldap-tools Create a file /etc/smbldap-tools/smbldap_bind.conf

############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Directory Manager"
slavePw="rootdn_password_here"
masterDN="cn=Directory Manager"
masterPw="rootdn_password_here"

As this file contains privacy information, secure it

chmod 600 /etc/smbldap-tools/smbldap_bind.conf

Create a file /etc/smbldap-tools/smbldap.conf

SID="S-1-5-21-2716392939-2958722027-3681302686"
slaveLDAP="ldap.intra.example.com"
slavePort="389"
masterLDAP="ldap.intra.example.com"
masterPort="389"
ldapTLS="1"
verify="optional"
cafile="/etc/ldap/cacerts/5be5959f.0"
suffix="dc=intra,dc=example,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=HANNIBAL,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="99"
userSmbHome="\\FILESERVER\home\%U"
userProfile="\\FILESERVER\profiles\%U"
userHomeDrive="L:"
userScript="%U.cmd"
mailDomain="intra.example.com"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

You can get the SID-entry for your configuration by running

net getlocalsid

Put the output in the /etc/smbldap-tools/smbldap.conf file

Post-configuration

Now let's fill the directory server with the necessary entries for Samba. Run the command:

smbldap-populate

The current version of smbldap-populate also applies some Samba to Linux groupmappings. You can verify them issuing:

net groupmap list

Otherwise, manual application of groupmappings goes like so:

net groupmap add rid=512 ntgroup='Domain Admins'  unixgroup='Domain Admins'
net groupmap add rid=513 ntgroup='Domain Users' unixgroup='Domain Users'
net groupmap add rid=514 ntgroup='Domain Guests' unixgroup='Domain Guests'
net groupmap add rid=515 ntgroup='Domain Computers' unixgroup='Domain Computers'

Create an account for usage whenever you add a machine account to your domain using the MS Windows join domain dialog. This account should have uidNumber=0 and gidNumber=0, so you could just use the unix root-account for this. However we prefer to use this special account 'admsamba' which has no further use on the unix system apart from Samba.

smbldap-useradd -a -d /dev/null -P -s /bin/false admsamba

We have to make sure that this account has a User SID value of 500 and a primary Group SID of 512.

pdbedit -U $( net getlocalsid | sed 's/SID for domain FILESERVER is: //' )-500 -u admsamba -r
pdbedit -G $( net getlocalsid | sed 's/SID for domain FILESERVER is: //' )-512 -u admsamba -r

You should set the values uidNumber=0 and gidNumber=0 in LDAP yourself using a LDAP-client. You can't use the smbldap-tools for this as the root-account itself already has these values in LDAP.

Accounts for your users can be added like so

smbldap-useradd -a -d  /home/firstuser -m -s /bin/bash firstuser
smbldap-passwd firstuser

FTP-protocol

We use the Proftpd software as it is fast and scalable software that supports PAM and SSL/TLS. Via the PAM construction, the LDAP Directory is used (the proftp with ldap-patch is not used here).

Installation

apt-get install proftpd proftpd-doc

Configuration

Edit the main configuration file /etc/proftpd/proftpd.conf

ServerName                      "ftpserver"
ServerType                      standalone
DeferWelcome                    off
MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on
AllowOverwrite                  on
TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200
DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"
DenyFilter                      \*.*/
PersistentPasswd                off
TLSEngine                       on
TLSProtocol                     TLSv1
TLSRequired                     on
TLSRSACertificateFile           /etc/proftpd/tls/ftpcert.pem
TLSRSACertificateKeyFile        /etc/proftpd/tls/ftpkey.pem
TLSCACertificateFile            /etc/proftpd/tls/cacert.pem
TLSVerifyClient                 off
Port                            21
MaxInstances                    30
User                            nobody
Group                           nogroup
DefaultRoot                     ~
<Directory /*>
  Umask                         022  022
  AllowOverwrite                on
</Directory>

Configure proftpd's pam-module for LDAP, /etc/pam.d/proftpd

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-auth

# This is disabled because anonymous logins will fail otherwise,
# unless you give the 'ftp' user a valid shell, or /bin/false and add
# /bin/false to /etc/shells.
#auth       required    pam_shells.so

@include common-account
@include common-session

If you want to only grant FTP-access to members of a specific group then you could use the module pam_succeed_if. Adjust /etc/pam.d/proftpd to look like this:

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-auth

# This is disabled because anonymous logins will fail otherwise,
# unless you give the 'ftp' user a valid shell, or /bin/false and add
# /bin/false to /etc/shells.
#auth       required    pam_shells.so

account     required     pam_succeed_if.so user ingroup ftpusers
@include common-account
@include common-session

Create a directory for proftpd's certificates

mkdir -p /etc/proftpd/tls

The OpenSSL section in this document describes howto create certificates. Create them now and copy them to /etc/proftpd/tls. Make sure that their names correspond to the names in proftpd.conf.

Check 'RUN=yes' in /etc/default/proftpd # this should be the default.

Restart the ProFTPd-server

/etc/init.d/proftpd restart

Now a SSL/TLS connection is required for FTP to work. Without it you receive an '550 SSL/TLS required on the control channel' error.

WebDAV

The webdav-protocol allows filetransfers over the HTTP-protocol. You can use a webbrowser that supports webdav, the cadaver cli-client (apt-get install cadaver) or another webdav-client to make a connection. For details see http://www.webdav.org

Installation

The Debian package 'apache2' contains support for building a webdav-server since Debian Sarge.

apt-get install apache2

Configuration

Check the configfile /etc/apache2/mods-available/dav_fs.conf

DAVLockDB /var/lock/apache2/DAVLock

Check the configfile /etc/apache2/mods-available/dav_fs.load

LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so

Enable the dav_fs module

a2enmod dav_fs
/etc/init.d/apache2 force-reload

Let's make a directory available for webdav-uploads.

mkdir /var/www/uploads
chown -R www-data /var/www/uploads

Create a configfile /etc/apache2/sites-available/uploads. This configuration will enable the directory /var/www/uploads as the virtual directory /webdav in Apache:

Alias /webdav /var/www/uploads
<Directory /var/www/uploads>
 Dav On
 AuthType Basic
 AuthName 'Hannibal Uploads'
 AuthLDAPUrl ldap://ldap.intra.example.com/ou=People,dc=intra,dc=example,dc=com?uid?sub
 AllowOverride AuthConfig
 require valid-user
 #require group cn=webdavgrp,ou=groups
 #require filter "(&(webdav=yes)(webdavgrp=upload))"
</Directory>

Enable the new configuration:

a2ensite uploads
/etc/init.d/apache2 force-reload

Now point you webdav-client of choise to http://yourwebserver/webdav and you should be prompted for login.

ssl

Create an Apache config. Use IP-based virtual hosting.

Duplicate this config, for every extra virtual webdav server. Use an extra IP-number and set of SSLcertificates for for each webdav server.

<VirtualHost 192.0.32.11:80>
        ServerName webdav.example.com
        ServerAdmin webdavmaster@example.com
        DocumentRoot /var/webdav.example.com/htdocs

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost 192.0.32.11:443>
ServerName webdav.example.com
DocumentRoot /var/webdav.example.com/slash
#
SSLEngine on
SSLProxyEngine on
SSLCertificateFile     /var/webdav.example.com/ssl/webdav.example.com_cert.pem
SSLCertificateKeyFile  /var/webdav.example.com/ssl/webdav.example.com_priv-key.pem
SSLCACertificateFile   /var/webdav.example.com/ssl/ExampleCA_ca-pub-key-cert.pem
#
#DAVLockDB /tmp/DAVLock
DAVMinTimeout 180
LogLevel warn
#
Alias /hannibal   /var/webdav.example.com/hannibal
  <Directory  /var/webdav.example.com/hannibal>
   Dav On
   AuthType Basic
   AuthName "Solstice webdavshare voor Hannibal project"
   AuthUserFile    /var/webdav.example.com/hannibal.htpasswd
   require valid-user
   #
   # ## for browser-access:
   Options +Indexes
   IndexIgnore ..
   IndexOptions -IconsAreLinks NameWidth=* FancyIndexing SuppressLastModified FoldersFirst
   IndexOrderDefault Ascending Name
  </Directory>
</VirtualHost>

clients

OSX

This is build in.

Finder -> Go -> connect to server: https://webdav.example.com/hannibal

Linux

Install the module and userspace tooling:

apt-get install davfs2

Make the mount:

mount -t davfs https://webdav.example.com/hannibal /home/luc/webdav-hannibal -o uid=1234,gid=1234

MS-win

Use ms-vista or newer, and add the CA-cert public key to the system store first.

Now make the connection and map a driveletter:

net use W: https://webdav.example.com/hannibal /user:luc