CorporateUbuntu

Revision 27 as of 2005-11-28 22:37:46

Clear message

A suggested guide to setting up Ubuntu for use in a corporate environment by Naaman Campbell.

INCOMPLETE DOCUMENT - TESTING IN PROGRESS

TableOfContents

Foreward

Ubuntu has the potential to be a forerunner in the business Linux desktop market and potentially, the general desktop market. Combining Ubuntu with a low-cost thin-client architecture such as SunRay (see UbuntuOnSunRay) could be the answer to numerous biased lower TCO reports being advertised by Microsoft.

The basis of this document will cover migration from a Sun Solaris 8 CDE user environment to Ubuntu and a number of best practices for a multi-user environment. Although there will be some SUN environment specific sections, the aim of the document is to provide and facilitate collaboration on a generic guide for setting up Ubuntu in the corporate environment.

This guide is based on a clean install of Ubuntu Breezy Badger (5.10).

Introduction

The setup of the CorporateUbuntu environment is broken up into the following:

  • Authentication
  • Home Directories
  • Remote Mounts
  • Printing
  • Locale
  • Keyboard
  • Locking Down GNOME
  • GNOME Menu
  • Email
  • Word Processing Suite
  • Terminals
  • Multimedia
  • Time/Date

Authentication

Prior to the migration to Ubuntu, NIS was used for authentication. Authentication was migrated over to an LDAP-based system using a Sun Java Enterprise System Directory Server. As the configuration of Ubuntu LDAP clients is the main concern of this section, the configuration of LDAP on a Sun Directory Server is outside the scope of this document. Secure LDAP will be considered at a later date.

A suggested precautionary measure is to log in as root on a separate console because if the LDAP setup is broken at any stage, the sudo command may not work. To establish a password for root to enable logging in, perform the following command:

ncampbell@naaman:~$ sudo passwd root

The first step is to setup nss-ldap, the LDAP-specific name switch server package. During installation, accept all the defaults:

ncampbell@naaman:~$ sudo apt-get install libnss-ldap

In order to authenticate using LDAP, /etc/nsswitch.conf will need to be edited:

ncampbell@naaman:~$ sudo vi /etc/nsswitch.conf

# perform the following vi commands
:1,$s/compat/files ldap/g
:x!

The /etc/libnss-ldap.conf file is where all the settings are configured. For brevity, the example libnss-ldap.conf is attached and not listed in this document - attachment:libnss-ldap.conf The configuration may be suited only for use with a Sun Directory Server.

To test the setup of nss-ldap, perform the following command to see a listing of LDAP shadow entries:

ncampbell@naaman:~$ getent shadow

The next step requires pam-ldap, the LDAP-specific PAM package. Answer <No> to the 2 questions asked during installation:

ncampbell@naaman:~$ sudo apt-get install libpam-ldap

The configuration file provided with the libpam-ldap package is unneccesary and can be replaced by libnss-ldap.conf:

ncampbell@naaman:~$ sudo rm /etc/pam_ldap.conf
ncampbell@naaman:~$ sudo ln -s /etc/libnss-ldap.conf /etc/pam_ldap.conf

To complete the configuration of the pam-ldap package, the following files in the /etc/pam.d directory need to be changed:

ncampbell@naaman:~$ cd /etc/pam.d
ncampbell@naaman:/etc/pam.d$ sudo vi common-account

  account sufficient    pam_ldap.so
  account required      pam_unix.so

ncampbell@naaman:/etc/pam.d$ sudo vi common-auth

  auth  sufficient      pam_ldap.so
  auth  required        pam_unix.so nullok_secure use_first_pass

ncampbell@naaman:/etc/pam.d$ sudo vi common-password

  password  sufficient pam_ldap.so nullok
  password  required   pam_unix.so nullok obscure min=4 max=8 md5

ncampbell@naaman:/etc/pam.d$ sudo vi common-session

  session sufficient    pam_ldap.so
  session required      pam_unix.so

ncampbell@naaman:/etc/pam.d$ cd ~

To test the setup of the pam-ldap package, attempt to logon as an LDAP user.

The final step in the LDAP client setup is to install nscd, the name service caching daemon, to prevent excess LDAP traffic:

ncampbell@naaman:~$ sudo apt-get install nscd
ncampbell@naaman:~$ sudo mkdir -p /var/db/nscd /var/run/nscd
ncampbell@naaman:~$ sudo /etc/init.d/nscd start

References

Home Directories

The users home directories reside on a Solaris server and are shared out via NFS. The home directories, are therefore, automounted upon logging into the Ubuntu machine.

To setup automounted home directories, the autofs package is required:

ncampbell@naaman:~$ sudo apt-get install autofs nfs-common

The remaining step is to setup the configuration files and start the service:

ncampbell@naaman:~$ sudo vi /etc/auto.master

  /home         /etc/auto.home

ncampbell@naaman:~$ sudo vi /etc/auto.home::

  *             solarisbox.naaman.com.au:/export/home/&

ncampbell@naaman:~$ sudo /etc/init.d/autofs start

Remote Mounts

Similar to the home directories, the Solaris server contains multiple shares available over NFS. To mount the directories upon booting, /etc/fstab needs to be edited:

ncampbell@naaman:~$ sudo vi /etc/fstab

  solarisbox1:/export/common     /mount/solarisbox1_common      nfs     rw    0  0
  solarisbox2:/export/common     /mount/solarisbox2_common      nfs     rw    0  0

Printing

The Ubuntu printing setup has disabled the use of CUPS for administration of printers due to security reasons. A current oversight made by the developers involved in the Ubuntu printing interface is the lack of the ability to name/rename printers. The printers are named after the printer model name and it is not scalable in a large environment where several printers of the same model may exist.

A workaround is to rename the entry made in /etc/cups/printers.conf and create a symbolic link to the printer model PPD file in the /etc/cups/ppd directory. Below is a script that can be installed into /usr/local/bin and run immediately after setting up a printer:

ncampbell@naaman:~$ sudo vi /usr/local/bin/changeprintername

  #!/bin/bash
  #
  ############################################
  #
  # changeprintername - changes the name of a
  #                     printer that was
  #                     created using Ubuntu
  #                     Printing GUI
  #
  # Usage: changeprintername old_name new_name
  #
  # Written: Naaman Campbell
  #          22 November 2005
  #
  ############################################

  CUPS_DIR=/etc/cups
  CONF=$CUPS_DIR/printers.conf
  PPD_DIR=$CUPS_DIR/ppd

  # Usage Check
  if [ $# -ne 2 ]; then
    echo "Usage: $0 old_name new_name"
    exit
  fi

  ##################################
  # DISPLAY CONFIG AND PROMPT USER #
  ##################################

  # find line number of first instance of old printer name
  LINE=`grep -m 1 -n $1 $CONF | sed -e 's/^\(.*\)\:.*/\1/'`

  # obtain a magic number for 'tail'
  LINECOUNT=`cat $CONF | wc -l`
  TAILNUM=`expr $LINECOUNT - $LINE`

  # find number of lines between start and end of
  # config section for printer
  PATTERN="</Printer>"
  NUMOFLINES=`tail -$TAILNUM $CONF | grep -m 1 -n $PATTERN | sed -e 's/^\(.*\)\:.*/\1/'`
  ENDLINE=`expr $LINE + $NUMOFLINES`

  # display current config to user
  echo
  echo "Confirm changing the current printer $1 to $2"
  echo "with the following configuration.."
  echo
  sed -n ''$LINE','$ENDLINE' p' $CONF
  echo
  echo "Proceed with printer name change? (y or n)"
  read answer

  case $answer in
        y)      echo "Changing $1 to $2"
                ;;
        n)      echo "Exiting.."
                exit
                ;;
        *)      echo "Invalid selection, now exiting.."
                exit
                ;;
  esac

  ###################
  # PERFORM CHANGES #
  ###################

  # create symlink
  echo
  echo "Creating symlink.."
  ln -s $PPD_DIR/$1.ppd $PPD_DIR/$2.ppd

  # update config file
  echo "Updating configuration file.."
  sed -i -e ''$LINE','$LINE' s/'$1'/'$2'/' $CONF

  # restart cups
  echo "Restarting CUPS.."
  /etc/init.d/cupsys restart

  echo "Script completed operations.."

ncampbell@naaman:~$ sudo chmod u+x /usr/local/bin/changeprintername

The changeprintername script is also available as an attachment - attachment:changeprintername

After a new printer is added to the system, the script can be run as follows:

ncampbell@naaman:~$ sudo /usr/local/bin/changeprintername old_name new_name

Alternative Method

It is possible to subvert the measures setup by the Ubuntu printing team to enable access into the Cups administration webpages. By adding the cupsys user into the shadow group, the cupsys user is able to edit the necessary printing system files. Change the shadow group line in /etc/group to include the cupsys user:

ncampbell@naaman:~$ sudo vi /etc/group

  shadow:x:42:cupsys

Locale

During initial testing, it appeared that the locale was not being set correctly after logging into GNOME. The locale issue appears to be a user-specific problem from when users used to log on to a Java Desktop System (JDS) - Solaris 10 machine. Ubuntu provides adequate language configuration during the installation process. If additional languagues need to be added or the default GNOME language needs to be changed, use the Language Selector program:

ncampbell@naaman:~$ sudo /usr/bin/gnome-language-selector

Keyboard

Part of configuring Ubuntu for corporate use is locking down the desktop. Limiting the number of keyboard shortcuts, and limiting configuration of shortcuts, is part of restricting access to sections of GNOME.

Adapted from the UbuntuOnSunRay wiki, listed below are a set of suggested shortcuts to be made available to users:

  • Launch help browser - Help*
  • Lock screen - "Moon"*
  • Home folder - Open*
  • Search - Find*
  • Take a screenshot - Print
  • Take a screenshot of a window - <Alt>Print

  • Close window - <Alt>F4

  • Move between windows with popup - <Alt>Tab

  • Switch to workspace on the left - <Control><Alt>Left

  • Switch to workspace on the right - <Control><Alt>Right

(* denotes Sun Keyboard specific keys - could be mapped to other keys on other keyboards)

To forcibly set the shortcuts, the use of the gconftool-2 command needs to be used. Follow the procedures listed on the UbuntuOnSunRay wiki - [https://wiki.ubuntu.com/UbuntuOnSunRay#head-2e702178e1ed7893504b43a908075e510af3cf37 Keyboard Shortcuts] - as a guide on how to lockdown keyboard shortcuts.

Locking Down GNOME

It appears that the GNOME team has withdrawn the setup of the lockdown configuration that was present in GNOME 2.6. The lockdown setup was also undesirable as it did not allow users to drag and drop shortcuts from the GNOME menu onto the desktop or menu bar.

The current concerns of the lockdown procedures are ensuring a consistent look-and-feel across all desktops and setting minor options for users. The look-and-feel is controlled by the three areas: theme, background and screensaver.

Theme and background are controlled by the gconf database and can be enforced system-wide. The Clearlooks theme was selected to replace the somewhat initially unfavourable brown Human theme. Clearlooks coupled with a background consisting of a 150x150 company logo on a dark-to-light grey vertical gradient, makes for a clean looking desktop. Prior to performing the gconftool-2 commands below, ensure all users are logged out of GNOME (perform commands from text console or a remotely logged-in session):

ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/background/color_shading_type "vertical-gradient"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /desktop/gnome/background/draw_background true
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/background/picture_filename "/usr/share/backgrounds/company_logo.png"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /desktop/gnome/background/picture_opacity 100
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/background/picture_options "centered"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/background/primary_color "#3E3A36"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/background/secondary_color "#DFDFDF"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /desktop/gnome/interface/gtk_theme "Clearlooks"

Screensaver configuration is separate to the gconf system and is configured system-wide via /etc/X11/app-defaults/XScreenSaver. Although a system-wide file exists, users are still able to change the settings by setting up a .xscreensaver file within their home directories. A suggested method of locking down the screensavers is to "mv" the screensaver files from /usr/lib/xscreensaver to another directory that normal users do not have access to. In addition to moving the screensaver files, a potential method of locking down xscreensaver is to create a .xscreensaver as root with read-only permissions in the user's home directory upon logging in to GNOME. Suggested settings for xscreensaver include:

  • Only One Screen Saver
  • Blank after 10 minutes
  • Lock screen upon blanking
  • The GLText (clock) screensaver - with all effects turned off
    • Company Name
      • Monday
      28 Nov 2005 11:39:07 AM

A sample /etc/X11/app-defaults/XScreenSaver containing the above suggested settings is attached - attachment:XScreenSaver

Note:At present, the current decision is to use no screensaver as most screensavers use around 5% CPU per user over a thin-client architecture. The GLText (clock) screensaver used around 10% and may be replaced by a more suitable screensaver.

The minor settings that can form part of locking down the environment include changing the default archive extension to .zip and the configuration of sound settings within GNOME to turn on sound and turn off sound events. Once again, prior to performing these gconftool-2 commands, ensure all users are logged out of GNOME:

ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/file-roller/dialogs/batch-add/default_extension ".zip"
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /desktop/gnome/sound/event_sounds false
ncampbell@naaman:~$ sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /desktop/gnome/sound/enable_esd true

GNOME Menu

Email

Word Processing Suite

Terminals

Multimedia

Time/Date

Additional Notes

This document, when completed, will be broken down into individual wikis relating to each section and a short paragraph on how each section relates to this document will remain. Breaking down this wiki will allow other contributors to add links to their own wikis, for example, a wiki on how to setup Ubuntu to authenticate off an OpenLDAP server.