CorporateUbuntu
10390
Comment:
|
12502
|
Deletions are marked like this. | Additions are marked like this. |
Line 42: | Line 42: |
* Time/Date | |
Line 273: | Line 274: |
=== Alternative Method === It is possible to subvert the measures setup by the Ubuntu printing team to enable access into the Cups administration webpages. By adding the cupsys user into the shadow group, the cupsys user is able to edit the necessary printing system files. Change the shadow group line in /etc/group to include the cupsys user: {{{ ncampbell@naaman:~$ sudo vi /etc/group shadow:x:42:cupsys }}} |
|
Line 275: | Line 287: |
During initial testing, it appeared that the locale was not being set correctly after logging into GNOME. The locale issue appears to be a user-specific problem from when users used to log on to a Java Desktop System (JDS) - Solaris 10 machine. Ubuntu provides adequate language configuration during the installation process. If additional languagues need to be added or the default GNOME language needs to be changed, use the Language Selector program: {{{ ncampbell@naaman:~$ sudo /usr/bin/gnome-language-selector }}} |
|
Line 277: | Line 295: |
Part of configuring Ubuntu for corporate use is the locking down of the desktop. Limiting the number of keyboard shortcuts, and limiting configuration of shortcuts, is part of restricting access to sections of GNOME. Adapted from the UbuntuOnSunRay wiki, listed below are a set of suggested shortcuts to be made available to users: * Launch help browser - Help* * Lock screen - "Moon"* * Home folder - Open* * Search - Find* * Take a screenshot - Print * Take a screenshot of a window - <Alt>Print * Close window - <Alt>F4 * Move between windows with popup - <Alt>Tab * Switch to workspace on the left - <Control><Alt>Left * Switch to workspace on the right - <Control><Alt>Right (* denotes Sun Keyboard specific keys - could be mapped to other keys on other keyboards) To forcibly set the shortcuts, the use of the gconftool-2 command needs to be used. Follow the procedures listed on the UbuntuOnSunRay wiki - [https://wiki.ubuntu.com/UbuntuOnSunRay#head-2e702178e1ed7893504b43a908075e510af3cf37 Keyboard Shortcuts] - as a guide on how to lockdown keyboard shortcuts. |
|
Line 289: | Line 326: |
== Time/Date == |
A suggested guide to setting up Ubuntu for use in a corporate environment by Naaman Campbell.
INCOMPLETE DOCUMENT - TESTING IN PROGRESS
Created: DateTime by NaamanCampbellBR
Contributors: NaamanCampbellBR
Status: IncompleteSpecificationBR
Foreward
Ubuntu has the potential to be a forerunner in the business Linux desktop market and potentially, the general desktop market. Combining Ubuntu with a low-cost thin-client architecture such as SunRay (see UbuntuOnSunRay) could be the answer to numerous biased lower TCO reports being advertised by Microsoft.
The basis of this document will cover migration from a Sun Solaris 8 CDE user environment to Ubuntu and a number of best practices for a multi-user environment. Although there will be some SUN environment specific sections, the aim of the document is to provide and facilitate collaboration on a generic guide for setting up Ubuntu in the corporate environment.
This guide is based on a clean install of Ubuntu Breezy Badger (5.10).
Introduction
The setup of the CorporateUbuntu environment is broken up into the following:
- Authentication
- Home Directories
- Remote Mounts
- Printing
- Locale
- Keyboard
- Locking Down GNOME
- GNOME Menu
- Word Processing Suite
- Terminals
- Multimedia
- Time/Date
Authentication
Prior to the migration to Ubuntu, NIS was used for authentication. Authentication was migrated over to an LDAP-based system using a Sun Java Enterprise System Directory Server. As the configuration of Ubuntu LDAP clients is the main concern of this section, the configuration of LDAP on a Sun Directory Server is outside the scope of this document. Secure LDAP will be considered at a later date.
A suggested precautionary measure is to log in as root on a separate console because if the LDAP setup is broken at any stage, the sudo command may not work. To establish a password for root to enable logging in, perform the following command:
ncampbell@naaman:~$ sudo passwd root
The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:
ncampbell@naaman:~$ sudo apt-get install libnss-ldap
In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:
ncampbell@naaman:~$ sudo vi /etc/nsswitch.conf # perform the following vi commands :1,$s/compat/files ldap/g :x!
The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - attachment:libnss-ldap.conf The configuration may be suited only for use with a Sun Directory Server.
To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:
ncampbell@naaman:~$ getent shadow
The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:
ncampbell@naaman:~$ sudo apt-get install libpam-ldap
The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:
ncampbell@naaman:~$ sudo rm /etc/pam_ldap.conf ncampbell@naaman:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:
ncampbell@naaman:~$ cd /etc/pam.d ncampbell@naaman:/etc/pam.d$ sudo vi common-account account sufficient pam_ldap.so account required pam_unix.so ncampbell@naaman:/etc/pam.d$ sudo vi common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass ncampbell@naaman:/etc/pam.d$ sudo vi common-password password sufficient pam_ldap.so nullok password required pam_unix.so nullok obscure min=4 max=8 md5 ncampbell@naaman:/etc/pam.d$ sudo vi common-session session sufficient pam_ldap.so session required pam_unix.so ncampbell@naaman:/etc/pam.d$ cd ~
To test the setup of the pam-ldap package, attempt to logon as an LDAP user.
The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:
ncampbell@naaman:~$ sudo apt-get install nscd ncampbell@naaman:~$ sudo mkdir -p /var/db/nscd /var/run/nscd ncampbell@naaman:~$ sudo /etc/init.d/nscd start
References
[http://www.metaconsultancy.com/whitepapers/ldap-linux.htm LDAP Authentication for Linux]
[http://craige.mcwhirter.com.au/2005/ubuntu-ldap-client.html Making a Debian or Ubuntu Machine an LDAP Authentication Client] - more suited to an OpenLDAP environment
[http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlanet%20Directory%20Server%20for%20Solaris9.htm Installing and configuring iPlanet Directory Server for Solaris9] - namely Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries) - also a good source of information on setting up a Sun Directory Server
Home Directories
The users home directories reside on a Solaris server and are shared out via NFS. The home directories, are therefore, automounted upon logging into the Ubuntu machine.
To setup automounted home directories, the autofs package is required:
ncampbell@naaman:~$ sudo apt-get install autofs nfs-common
The remaining step is to setup the configuration files and start the service:
ncampbell@naaman:~$ sudo vi /etc/auto.master /home /etc/auto.home ncampbell@naaman:~$ sudo vi /etc/auto.home:: * solarisbox.naaman.com.au:/export/home/& ncampbell@naaman:~$ sudo /etc/init.d/autofs start
Remote Mounts
Similar to the home directories, the Solaris server contains multiple shares available over NFS. To mount the directories upon booting, /etc/fstab needs to be edited:
ncampbell@naaman:~$ sudo vi /etc/fstab solarisbox1:/export/common /mount/solarisbox1_common nfs rw 0 0 solarisbox2:/export/common /mount/solarisbox2_common nfs rw 0 0
Printing
The Ubuntu printing setup has disabled the use of CUPS for administration of printers due to security reasons. A current oversight made by the developers involved in the Ubuntu printing interface is the lack of the ability to name/rename printers. The printers are named after the printer model name and it is not scalable in a large environment where several printers of the same model may exist.
A workaround is to rename the entry made in /etc/cups/printers.conf and create a symbolic link to the printer model PPD file in the /etc/cups/ppd directory. Below is a script that can be installed into /usr/local/bin and run immediately after setting up a printer:
ncampbell@naaman:~$ sudo vi /usr/local/bin/changeprintername #!/bin/bash # ############################################ # # changeprintername - changes the name of a # printer that was # created using Ubuntu # Printing GUI # # Usage: changeprintername old_name new_name # # Written: Naaman Campbell # 22 November 2005 # ############################################ CUPS_DIR=/etc/cups CONF=$CUPS_DIR/printers.conf PPD_DIR=$CUPS_DIR/ppd # Usage Check if [ $# -ne 2 ]; then echo "Usage: $0 old_name new_name" exit fi ################################## # DISPLAY CONFIG AND PROMPT USER # ################################## # find line number of first instance of old printer name LINE=`grep -m 1 -n $1 $CONF | sed -e 's/^\(.*\)\:.*/\1/'` # obtain a magic number for 'tail' LINECOUNT=`cat $CONF | wc -l` TAILNUM=`expr $LINECOUNT - $LINE` # find number of lines between start and end of # config section for printer PATTERN="</Printer>" NUMOFLINES=`tail -$TAILNUM $CONF | grep -m 1 -n $PATTERN | sed -e 's/^\(.*\)\:.*/\1/'` ENDLINE=`expr $LINE + $NUMOFLINES` # display current config to user echo echo "Confirm changing the current printer $1 to $2" echo "with the following configuration.." echo sed -n ''$LINE','$ENDLINE' p' $CONF echo echo "Proceed with printer name change? (y or n)" read answer case $answer in y) echo "Changing $1 to $2" ;; n) echo "Exiting.." exit ;; *) echo "Invalid selection, now exiting.." exit ;; esac ################### # PERFORM CHANGES # ################### # create symlink echo echo "Creating symlink.." ln -s $PPD_DIR/$1.ppd $PPD_DIR/$2.ppd # update config file echo "Updating configuration file.." sed -i -e ''$LINE','$LINE' s/'$1'/'$2'/' $CONF # restart cups echo "Restarting CUPS.." /etc/init.d/cupsys restart echo "Script completed operations.." ncampbell@naaman:~$ sudo chmod u+x /usr/local/bin/changeprintername
The changeprintername script is also available as an attachment - attachment:changeprintername
After a new printer is added to the system, the script can be run as follows:
ncampbell@naaman:~$ sudo /usr/local/bin/changeprintername old_name new_name
Alternative Method
It is possible to subvert the measures setup by the Ubuntu printing team to enable access into the Cups administration webpages. By adding the cupsys user into the shadow group, the cupsys user is able to edit the necessary printing system files. Change the shadow group line in /etc/group to include the cupsys user:
ncampbell@naaman:~$ sudo vi /etc/group shadow:x:42:cupsys
Locale
During initial testing, it appeared that the locale was not being set correctly after logging into GNOME. The locale issue appears to be a user-specific problem from when users used to log on to a Java Desktop System (JDS) - Solaris 10 machine. Ubuntu provides adequate language configuration during the installation process. If additional languagues need to be added or the default GNOME language needs to be changed, use the Language Selector program:
ncampbell@naaman:~$ sudo /usr/bin/gnome-language-selector
Keyboard
Part of configuring Ubuntu for corporate use is the locking down of the desktop. Limiting the number of keyboard shortcuts, and limiting configuration of shortcuts, is part of restricting access to sections of GNOME.
Adapted from the UbuntuOnSunRay wiki, listed below are a set of suggested shortcuts to be made available to users:
- Launch help browser - Help*
- Lock screen - "Moon"*
- Home folder - Open*
- Search - Find*
- Take a screenshot - Print
Take a screenshot of a window - <Alt>Print
Close window - <Alt>F4
Move between windows with popup - <Alt>Tab
Switch to workspace on the left - <Control><Alt>Left
Switch to workspace on the right - <Control><Alt>Right
(* denotes Sun Keyboard specific keys - could be mapped to other keys on other keyboards)
To forcibly set the shortcuts, the use of the gconftool-2 command needs to be used. Follow the procedures listed on the UbuntuOnSunRay wiki - [https://wiki.ubuntu.com/UbuntuOnSunRay#head-2e702178e1ed7893504b43a908075e510af3cf37 Keyboard Shortcuts] - as a guide on how to lockdown keyboard shortcuts.
Locking Down GNOME
GNOME Menu
Word Processing Suite
Terminals
Multimedia
Time/Date
Additional Notes
This document, when completed, will be broken down into individual wikis relating to each section and a short paragraph on how each section relates to this document will remain. Breaking down this wiki will allow other contributors to add links to their own wikis, for example, a wiki on how to setup Ubuntu to authenticate off an OpenLDAP server.
CorporateUbuntu (last edited 2008-08-06 16:32:29 by localhost)