From ImageWeb

Contents 1 ADMIRAL LSDS test server setup notes 1.1 System setup 1.2 Virtualization setup 1.2.1 Running virtual machine directly with kvm 1.3 Using VMWare images in KVM/QEMU 1.4 Preinstalling applications 1.5 Samba setup 1.6 Pluggable Authenticaton Modules (PAM) 1.7 Single Sign On (SSO) authentication using Kerberos 1.8 Enabling ssh with Kerberos 1.9 Samba with Kerberos 1.10 OpenLDAP 1.11 WebAuth

ADMIRAL LSDS test server setup notes

Hardware:

• Dell Optiplex 780
• Dual core 3.16GHz processor
• 4Gb RAM
• 2x320Gb SATA disks

System:

• Ubuntu server 9.10, 64-bit
• KVM virtual machine hosting
• Also has preinstalled copy of Windows 7 pro

System setup

• Standard install from Ubuntu server 9.10 64-bit CDROM:
  • 129.67.24.35, etc.
  • VM hosting
  • SSH server
• Install ubuntu-desktop
  • Configure dual screens
• Usual security options; ssh restrictions, denyhosts, ufw, etc.

Virtualization setup

Note: logging out with a virtual machine running as a user (non-daemon) process has been seen to cause a system hang-up.

• Install:
  • libvirt-bin
  • python-virtinst
  • python-vm-builder
  • virt-manager
• Use vmbuilder to create virtual machine image (see /var/kvm/make-admiral-server.sh):

vmbuilder kvm ubuntu \
  --suite karmic \
  --flavour virtual \
  --arch amd64 \
  --overwrite \
  --ip 129.67.24.65 \
  --mask 255.255.252.0 \
  --gw 129.67.27.254 \
  --dns 129.67.1.1 \
  --bridge br0 \
  --part admiral.partitions \
  --user admiral \
  --pass zakynthos \
  --domain admiral \
  --hostname admiral \
  --libvirt qemu:///system

Note that using --libvirt causes problems if another virtual machine has been created previously with the same domain name (default 'ubuntu'). Deleteing files /etc/libvirt/qemu/*.xml, then rebooting, seems to resolve this. not using --libvirt also helps. It seems that only one virtual machine can be registered with libvirt using a given domain name. Use --domain option to specify the domain name (?).

These's more: "Also you'll find if you dont specify a hostname too vmbuilder will always call the domain ubuntu and you will have to manually rename it each time." -- http://irclogs.ubuntu.com/2009/01/17/%23ubuntu-server.txt

• use virt-manager to examine, modify and start virtual machines.
• Networking
  • See:
    • https://help.ubuntu.com/9.10/serverguide/C/network-configuration.html
    • http://www.howtoforge.com/virtualization-with-kvm-on-ubuntu-9.10
  • /etc/network/interfaces looks like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface

auto eth0
iface eth0 inet manual

auto br0
iface br0 inet static
        address 129.67.24.35
        network 129.67.24.0
        netmask 255.255.252.0
        broadcast 129.67.27.255
        gateway 129.67.27.254
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

Note that the original eth0 configuration needs to be changed, as well as adding the br0 section.

• Restart networking with

/etc/init.d/networking restart

Running virtual machine directly with kvm

This example needs fixing up - networking doesn't work as described here:

#!/bin/bash
# Start virtual machine with bridged network
# Ref:
# [1] http://www.howtoforge.com/using-kvm-on-ubuntu-gutsy-gibbon

# With window (run using sudo from X-window login account - as root doesn't work):
sudo kvm -m 256 -hda /var/kvm/ubuntu-kvm/disk0.qcow2 -net nic -net tap,ifname=tap0 -daemonize

# Without window (see [1])
#sudo kvm -m 256 -hda /var/kvm/ubuntu-kvm/disk0.qcow2 -net nic -net tap,ifname=tap0 -nographic -daemonize

stty sane

Using VMWare images in KVM/QEMU

To use the VMware machine from within virt-manager, the .vmx file must be converted to libvirt's .xml. vmware2libvirt was created to help with this. It's available in Intrepid/Jaunty, install package 'virt-goodies'. After installing it can be used like so:

$ vmware2libvirt -f ./file.vmx > file.xml

The resulting .xml file must be edited in include networking information from an existing .XML file, e.g. add something like this in the <devices> section:

    <interface type='bridge'>
      <mac address='52:54:00:86:6a:48'/>
      <source bridge='br0'/>
      <model type='virtio'/>
    </interface>

Finally, install the new virtual machine into the KVM/QEMU environment:

$ virsh -c qemu:///system define file.xml

Preinstalling applications

(see also --copy option - probably useful for preconfiguring applications)

There are two ways to preinstall applications in a virtual machine immage. One is to use the --add-package (@@CHECK) option to install packages in the image, and the other is to use a --firstboot scrpt option to install extra packages when the machine first starts. Packages that generate private keys (e.g. SSH) should be installed using --firstboot to avoid the possibility of multiple instances with the same key, so we have used this for all packages. The first boot can therefore take a while.

We are using the following vmbuilder script:

rm /etc/libvirt/qemu/admiral.xml
vmbuilder kvm ubuntu \
  --suite karmic \
  --flavour virtual \
  --arch amd64 \
  --overwrite \
  --ip 129.67.24.65 \
  --mask 255.255.252.0 \
  --gw 129.67.27.254 \
  --dns 129.67.1.1 \
  --bridge br0 \
  --part admiral.partitions \
  --user admiral \
  --pass zakynthos \
  --domain admiral \
  --hostname admiral \
  --libvirt qemu:///system \
  --firstboot boot.sh

Where admiral.partitions (in the same directory) contains:

root 8000
swap 2000

and boot.sh (in the same directory) contains:

# This script will run the first time the virtual machine boots
# It is run as root.

apt-get update
apt-get install -qy --force-yes \
  openssh-server acpid unattended-upgrades ufw denyhosts \
  apache2 samba

Samba setup

Defining a share - add the following to /etc/samba/smb.conf:

# Share /var/files as //admiral/files
[files]
   comment = File server area
   browseable = yes
   read only = no
   path = /var/files
   create mask = 0775
   directory mask = 0775
   valid users = admiral

Notes:

• By default, Samba requires usernames used to be configured using smbpasswd
  • (We're currently investigating if this requirement can be avoided by using linux userbase directly).
• Shared file system directory must be accessible to the user authenticated to Samba
• Linux client needs smbfs installed. To mount Samba share, e.g.:

mount -t cifs //zakynthos/admiral -o username=admiral /mnt/admiral

• To make it appear with the local userid:

sudo mount.cifs //zakynthos.zoo.ox.ac.uk/files/galletly /mnt/admiral -o user=galletly,uid=galletly,gid=galletly

• Connecting from MacOS: Finder > Go > Connect to server..., then enter (e.g.):

smb://zakynthos/admiral/

Pluggable Authenticaton Modules (PAM)

Notes:

• Adminstrators reference for PAM modules: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
• Utility for testing PAM configuration: http://pamtester.sourceforge.net/ (needs gcc and libpam??-devel to install).
• Command for debugging local password check (invokes helper used by PAM):

sudo echo -ne '<password>\0000' | /sbin/unix_chkpwd <user> nullok ; echo $?

• The unix_chkpwd utility (hence the pam_unix module) work only when run as root, or to check the credentials of the current user. For this reason, we believe this module is not usable for Samba authentication against the local passwd/shadow files.

Single Sign On (SSO) authentication using Kerberos

(See also https://wiki.oucs.ox.ac.uk/itss/KerberosUnix or copy at http://bioimage.ontonet.org/moin/OxfordKerberos)

• Install
  • krb5-user
• Edit /etc/krb5.conf:

[libdefaults]
        default_realm = OX.AC.UK
[realms]
OX.AC.UK = {
    kdc = kdc0.ox.ac.uk
    kdc = kdc1.ox.ac.uk
    kdc = kdc2.ox.ac.uk
    admin_server = kdc-admin.ox.ac.uk
    default_domain = ox.ac.uk
}
[domain_realm]
    .ox.ac.uk = OX.AC.UK

• Use kinit to get a ticket granting ticket (TGT) from the Kerberos server.

Note: Calling kinit without any options will only work if the usernames locally and on the Kerberos server are the same. If they are different you instead need to use the -p flag:

galletly@zoo-samos:~$ kinit -p abcd1234
Password for abcd1234@OX.AC.UK:
galletly@zoo-samos:~$

• Use klist to examine the TGTs currently stored.

Enabling ssh with Kerberos

• The OpenSSH client supports GSSAPI which is an extensible authentication architecture capable of handling Kerberos negotiation. In order to enable this, edit /etc/ssh/ssh_config and ensure that the following settings read as follows:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

• You should now be able to login to e.g. linux.ox.ac.uk using the Kerberos credentials already establised.

• To enable the OpenSSH server, install libpam-krb5 and edit /etc/ssh/sshd_config and ensure that the following settings read as follows:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

• Run /etc/init.d/ssh restart; you should now be able to log in from elsewhere using the Oxford SSO credentials.

Note: the user will have to have an account on the local server in order for this to work.

• Edit /etc/pam.d/common-password to delete the line referring to pam_krb5.so, and change the line referring to pam_unix.so to read:

password        [success=1 default=ignore]      pam_unix.so obscure sha512

(i.e. removing the use_authtok and try_first_pass options which rely on a previous stacked password module having been tried first: the pam_krb5.so which has been deleted).

Note: this is to avoid being prompted for the Kerberos password when the Unix password is required, e.g. if one is trying to change the Unix password!

Samba with Kerberos

• Edit /etc/samba/smb.conf to have the following line:

   encrypt passwords = false

Running smbclient -L zakynthos will now work either with the local password or with the SSO credentials. If instead the encrypt passwords option is set to true, the local password will work, but attempting to use the SSO credentials will fail with the error message: session setup failed: NT_STATUS_LOGON_FAILURE

Note that using the -k option with smbclient causes it to to and use locally cached kerberos credentials. This does not work with Samba server configured to use Kerberos via PAM. To prove that kerberos-verified credentials are being used, set a different password via smbpasswd to the Kerberos password, then try connecting using both passwords (both should work) - this shows that both pam_unix and pam_krb5 modules are being used.

OpenLDAP

NB: Releases of slapd prior to Ubuntu 9.10 installed by asking questions during the installation process. The 9.10 version of slapd comes in an unconfigured version which requires configuring as below. This may or may not remain necessary for future versions of slapd.

• Install slapd and ldap-utils

• http://www.howtoforge.com/install-and-configure-openldap-on-ubuntu-karmic-koala explains how to get slapd configured to the point which previous releases of Ubuntu managed.

• Samba+LDAP: https://help.ubuntu.com/9.10/serverguide/C/samba-ldap.html

• Kerberos+LDAP: https://help.ubuntu.com/9.10/serverguide/C/kerberos-ldap.html

• Possibly helpful for LDAP+Kerberos+Samba: http://aput.net/~jheiss/samba/ldap.shtml (see also http://lists-archives.org/samba/30945-ldap-and-kerberos-configuration.html )

WebAuth

Still working on it. Error seen:

Feb  3 10:49:37 admiral kernel: [65621.273895] apache2[2776]: segfault at 656d69746c71 ip 00007fb0d44cdd58 sp 00007fff9470af50 error 4 in libwebauth.so.1.2.0[7fb0d44c9000+b000]