krypted.com

Tiny Deathstars of Foulness

On Sunday, I mentioned making your forward and reverse DNS entries match up. But I didn’t really discuss what to do if they don’t. For those readers moving into Ubuntu from Mac OS X Server, you’ll note that at installation time, if the hostname doesn’t match the A record and PTR for your server then it will install DNS and make them match up. The reason for this is that host names are a critical aspect in how many of the network services that modern services run. If you don’t have DNS or if you want to fire up DNS in the same manner that Mac OS X Server does it then let’s look at doing so here.

First up, let’s get the packages that we’ll need installed using apt-get, which includes bind9 and dnsutils:

apt-get install bind9 dnsutils

Once those are installed, let’s define our zone and reverse zone in /etc/bind/named.conf.local:

zone “krypted.com” {
type master;
file “/etc/bind/zones/krypted.com.db”;
};
zone “210.168.192.in-addr.arpa” {
type master;
file “/etc/bind/zones/rev.210.168.192.in-addr.arpa”;
};

Note: If you’re cut/copy/pasting here, the double-quotes are going to need to get replaced with unformatted ones.

If you have other forward or reverse zones then you will need to add them using the same format as above. Once you’re done, save the file.

Next, let’s tell the server where to look when attempting to resolve names that it does not host. This information is stored in the options array in /etc/bind/named.conf.options. This is currently commented out (commented lines start with //) so let’s uncomment the forwarders section (by removing the // in front of the lines) and change the IP of that forwarder from 0.0.0.0 to the IP address of your server. It should look similar to the following when complete:

forwarders {
4.2.2.2
};

Next, we’re going to create our

mkdir /etc/bind/zones
touch /etc/bind/zones/krypted.com.db
touch /etc/bind/zones/rev.210.168.192.in-addr.arpa

Now that we’ve created our files, let’s edit them. First, open /etc/bind/zones/krypted.com.db and look for all instances of krypted.com, replacing them with the domain name that you would like to use. Also, look for all of the records and make sure that they match with the name and IP that you would like to use, creating new lines for each new record:

krypted.com. IN SOA ns1.krypted.com. admin.krypted.com. (
2007031001
28800
3600
604800
38400
)
krypted.com. IN NS ubuntu08.krypted.com.
krypted.com. IN MX 10 mail.krypted.com.
www IN A 192.168.210.2
home IN A 192.168.210.2
mta IN A 192.168.210.2
ubuntu08 IN A 192.168.210.254

Next, we’ll populate the reverse zone file. You’ll need to replace my instances with your own as in the previous section. Open /etc/bind/zones/rev.0.168.192.in-addr.arpa in your favorite text editor and edit away:

@ IN SOA ubuntu08.krypted.com. admin.krypted.com. (
2007031001;
28800;
604800;
604800;
86400
)
IN NS ubuntu08.krypted.com.
1 IN PTR krypted.com

Next, we’ll restart the DNS services to accept these massive changes we’ve made:

/etc/init.d/bind9 restart

Next, edit the /etc/resolv.conf file to set the DNS server and (optional) search domain. Then change it to look something like the following:

search krypted.com
nameserver 192.168.210.254

Finally, you can use dig and nslookup to test the lookups and make sure they work. For example:

nslookup ubuntu08.krypted.com

November 22nd, 2010

Posted In: Ubuntu, Unix

Tags: , , , , , , , , , ,

One of the main reasons people get a server is to share files. Mac OS X Server is one of the more common devices used to share files to Mac OS X clients, using afp, the default file sharing protocol for Mac OS X. But you don’t have to use Mac OS X Server. You can use Linux as well. We’re going to look at using an open source project called netatalk to do so. If you find that after reading this that you’d like to find out more about netatalk then check out the open source project page at http://netatalk.sourceforge.net.

The netatalk installer can be installed through most of the package installers for Linux. However, due to licensing issues with many versions of Linux, some of what you need might not come with the source, namely that Mac OS X 10.5 and above will not be able to authenticate to the netatalk daemon due to the lack of uams so files for dhx. Therefore, we’re going to look at building netatalk from source using apt-get in Ubuntu or Debian (for Redhat, use yum). To get started let’s get our dependencies (everything in this article needs to be run with elevated privileges):

apt-get install dpkg-dev devscripts libssl-dev fakeroot cracklib2-dev

Now let’s grab the netatalk source:

apt-get source netatalk

Now let’s get any other dependencies we might not have noticed already:

apt-get build-dep netatalk

Now cd into the netatalk directory (current version is 2.0.3):

cd netatalk-2.0.3

Now let’s tell it to build with SSL enabled:

DEB_BUILD_OPTIONS=ssl debuild

And to finally run the built package:

dpkg -i ../netatalk_*.deb

Next, let’s choose which authentication mechanisms we want to support. I practically always enable the pam modules so that netatalk can pass authentication back through my directory service and it’s very important that for Mac OS X 10.5 and above support that you make sure to go ahead and enable dhx as well. For most environments I’ll also disable cleartext passwords at this time. This is all done in the /etc/netatalk/afpd.conf file. At the bottom, by default you will see a list of authentication modules. Add the following line, adding any additional uams modules you’d like to support and removing any you would not like to support:

– -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so

We can also go ahead and restrict users from being able to save their password using the -nosavepassword option, meaning the line would instead appear as follows:

– -transall -uamlist uams_guest.so,uams_dhx_pam.so,uams_dhx_passwd.so,uams_dhx.so -nosavepassword

Note: The afpd.conf man page and the project documentation will lay out more about what each of these does.

Once you have updated afpd.conf you will want to edit the /etc/netatalk/AppleVolumes.default file, which is where you create your shares. At the bottom of this file you’ll want to add a line that adds each new share (home directories are automatically shared by default). Here, you’ll specify the path to the share, followed by how you want the share to appear in the connect to server dialog, followed by an allow statement of who is able to access the share and then the options for the share (options are indicated in the man page and have commented descriptions in the actual file):

/SHARED/Accounting “Accounting” allow:accounting,root options:crlf,noadouble,mswindows,nodots,usehex dbpath:/tmp

The above file is also where you would make changes to the method used to store authentication database used (ie – using CNID In order to have different daemons or more likely to kill off the AppleTalk daemon) you’ll need to customize the /etc/default/netatalk file. Here, you can choose whether AppleTalk will run (ATALKD_RUN, whether to use bdb (CNID_METAD_RUN) and whether or not AFP will run (AFPD_RUN). You can also choose a maximum number of users to hit the server (AFPD_MAX_CLIENTS) and set AppleTalk names and zones if you’re running AppleTalk (ATALK_NAME and ATALK_ZONE respectively). And by default, AFP guests (AFPD_GUEST) are mapped to nobody (for permissions)…

Once you’ve made your changes, save and then let’s restart the daemon and test connectivity:

/etc/init.d/netatalk restart

While testing, I usually like to run a tail of syslog to see if any errors pop up:

tail -f /var/log/syslog

When new versions come out, you will then be able to perform an update using apt-get as well:

apt-get update && apt-get install netatalk

If you find that through this you installed some things that you’d like to get rid of or that you’d like to start over, you can get rid of netatalk using the apt-get autoremove option:

apt-get autoremove netatalk

And if you don’t want the dependencies either, check out deborphan to clean those up as well!

November 12th, 2010

Posted In: Mac OS X Server, Ubuntu, Unix

Tags: , , , , , , , , , , , , , , , , , , ,