CorporateUbuntu
A suggested guide to setting up Ubuntu for use in a corporate environment by Naaman Campbell.
INCOMPLETE DOCUMENT - TESTING IN PROGRESS
Created: DateTime by NaamanCampbellBR
Contributors: NaamanCampbellBR
Status: IncompleteSpecificationBR
Foreward
Ubuntu has the potential to be a forerunner in the business Linux desktop market and potentially, the general desktop market. Combining Ubuntu with a low-cost thin-client architecture such as SunRay (see UbuntuOnSunRay) could be the answer to numerous biased lower TCO reports being advertised by Microsoft.
The basis of this document will cover migration from a Sun Solaris 8 CDE user environment to Ubuntu and a number of best practices for a multi-user environment. Although there will be some SUN environment specific sections, the aim of the document is to provide and facilitate collaboration on a generic guide for setting up Ubuntu in the corporate environment.
Introduction
The setup of the CorporateUbuntu environment is broken up into the following:
- Authentication
- Home Directories
- Remote Mounts
- Printing
- Locale
- Keyboard
- Locking Down GNOME
- GNOME Menu
- Word Processing Suite
- Terminals
- Multimedia
Authentication
Prior to the migration to Ubuntu, NIS was used for authentication. Authentication was migrated over to an LDAP-based system using a Sun Java Enterprise System Directory Server. As the configuration of Ubuntu LDAP clients is the main concern of this section, the configuration of LDAP on a Sun Directory Server is outside the scope of this document. Secure LDAP will be considered at a later date.
A suggested precautionary measure is to log in as root on a separate console because if the LDAP setup is broken at any stage, the sudo command may not work. To establish a password for root to enable logging in, perform the following command:
ncampbell@naaman:~$ sudo passwd root
The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:
ncampbell@naaman:~$ sudo apt-get install libnss-ldap
In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:
ncampbell@naaman:~$ sudo vi /etc/nsswitch.conf # perform the following vi commands :1,$s/compat/files ldap/g :x!
The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - attachment:libnss-ldap.conf The configuration may be suited only for use with a Sun Directory Server.
To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:
ncampbell@naaman:~$ getent shadow
The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:
ncampbell@naaman:~$ sudo apt-get install libpam-ldap
The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:
ncampbell@naaman:~$ sudo rm /etc/pam_ldap.conf ncampbell@naaman:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf
To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:
ncampbell@naaman:~$ cd /etc/pam.d ncampbell@naaman:/etc/pam.d$ sudo vi common-account account sufficient pam_ldap.so account required pam_unix.so ncampbell@naaman:/etc/pam.d$ sudo vi common-auth auth sufficient pam_ldap.so auth required pam_unix.so nullok_secure use_first_pass ncampbell@naaman:/etc/pam.d$ sudo vi common-password password sufficient pam_ldap.so nullok password required pam_unix.so nullok obscure min=4 max=8 md5 ncampbell@naaman:/etc/pam.d$ sudo vi common-session session sufficient pam_ldap.so session required pam_unix.so ncampbell@naaman:/etc/pam.d$ cd ~
To test the setup of the pam-ldap package, attempt to logon as an LDAP user.
The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:
ncampbell@naaman:~$ sudo apt-get install nscd ncampbell@naaman:~$ sudo mkdir -p /var/db/nscd /var/run/nscd ncampbell@naaman:~$ sudo /etc/init.d/nscd start
References
[http://www.metaconsultancy.com/whitepapers/ldap-linux.htm LDAP Authentication for Linux]
[http://craige.mcwhirter.com.au/2005/ubuntu-ldap-client.html Making a Debian or Ubuntu Machine an LDAP Authentication Client] - more suited to an OpenLDAP environment
[http://web.singnet.com.sg/~garyttt/Installing%20and%20configuring%20iPlanet%20Directory%20Server%20for%20Solaris9.htm Installing and configuring iPlanet Directory Server for Solaris9] - namely Step 4: Configure RedHat Linux LDAP Client (OpenLDAP+PADL libraries) - also a good source of information on setting up a Sun Directory Server
Home Directories
The users home directories reside on a Solaris server and are shared out via NFS. The home directories, are therefore, automounted upon logging into the Ubuntu machine.
To setup automounted home directories, the autofs package is required:
ncampbell@naaman:~$ sudo apt-get install autofs nfs-common
The remaining step is to setup the configuration files and start the service:
ncampbell@naaman:~$ sudo vi /etc/auto.master /home /etc/auto.home ncampbell@naaman:~$ sudo vi /etc/auto.home:: * solarisbox.naaman.com.au:/export/home/& ncampbell@naaman:~$ sudo /etc/init.d/autofs start
Remote Mounts
Similar to the home directories, the Solaris server contains multiple shares available over NFS. To mount the directories upon booting, /etc/fstab needs to be edited:
ncampbell@naaman:~$ sudo vi /etc/fstab solarisbox1:/export/common /mount/solarisbox1_common nfs rw 0 0 solarisbox2:/export/common /mount/solarisbox2_common nfs rw 0 0
Printing
The Ubuntu printing setup has disabled the use of CUPS for administration of printers due to security reasons. A current oversight made by the developers involved in the Ubuntu printing interface is the lack of the ability to name/rename printers. The printers are named after the printer model name and it is not scalable in a large environment where several printers of the same model may exist.
A workaround is to rename the entry made in /etc/cups/printers.conf and create a symbolic link to the printer model PPD file in the /etc/cups/ppd directory. Below is a script that can be installed into /usr/local/bin and run immediately after setting up a printer:
ncampbell@naaman:~$ sudo vi /usr/local/bin/changeprintername #!/bin/bash # ############################################ # # changeprintername - changes the name of a # printer that was # created using Ubuntu # Printing GUI # # Usage: changeprintername old_name new_name # # Written: Naaman Campbell # 22 November 2005 # ############################################ CUPS_DIR=/etc/cups CONF=$CUPS_DIR/printers.conf PPD_DIR=$CUPS_DIR/ppd # Usage Check if [ $# -ne 2 ]; then echo "Usage: $0 old_name new_name" exit fi ################################## # DISPLAY CONFIG AND PROMPT USER # ################################## # find line number of first instance of old printer name LINE=`grep -m 1 -n $1 $CONF | sed -e 's/^\(.*\)\:.*/\1/'` # obtain a magic number for 'tail' LINECOUNT=`cat $CONF | wc -l` TAILNUM=`expr $LINECOUNT - $LINE` # find number of lines between start and end of # config section for printer PATTERN="</Printer>" NUMOFLINES=`tail -$TAILNUM $CONF | grep -m 1 -n $PATTERN | sed -e 's/^\(.*\)\:.*/\1/'` ENDLINE=`expr $LINE + $NUMOFLINES` # display current config to user echo echo "Confirm changing the current printer $1 to $2" echo "with the following configuration.." echo sed -n ''$LINE','$ENDLINE' p' $CONF echo echo "Proceed with printer name change? (y or n)" read answer case $answer in y) echo "Changing $1 to $2" ;; n) echo "Exiting.." exit ;; *) echo "Invalid selection, now exiting.." exit ;; esac ################### # PERFORM CHANGES # ################### # create symlink echo echo "Creating symlink.." ln -s $PPD_DIR/$1.ppd $PPD_DIR/$2.ppd # update config file echo "Updating configuration file.." sed -i -e ''$LINE','$LINE' s/'$1'/'$2'/' $CONF # restart cups echo "Restarting CUPS.." /etc/init.d/cupsys restart echo "Script completed operations.." ncampbell@naaman:~$ sudo chmod u+x /usr/local/bin/changeprintername
The changeprintername script is also available as an attachment - attachment:changeprintername
After a new printer is added to the system, the script can be run as follows:
ncampbell@naaman:~$ sudo /usr/local/bin/changeprintername old_name new_name
Locale
Keyboard
Locking Down GNOME
GNOME Menu
Word Processing Suite
Terminals
Multimedia