[X2Go-Commits] [[X2Go Wiki]] page changed: doc:howto:x2gobroker
wiki-admin at x2go.org
wiki-admin at x2go.org
Fri Feb 10 17:28:21 CET 2017
A page in your DokuWiki was added or changed. Here are the details:
Date : 2017/02/10 16:28
Browser : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
IP-Address : 78.43.90.159
Hostname : HSI-KBW-078-043-090-159.hsi4.kabel-badenwuerttemberg.de
Old Revision: http://wiki.x2go.org/doku.php/doc:howto:x2gobroker?rev=1486743723
New Revision: http://wiki.x2go.org/doku.php/doc:howto:x2gobroker
Edit Summary: added server setup section, added ldap preseed
User : stefanbaur
@@ -37,4 +37,267 @@
* what ends up in LDAP this way is not something you want to work with in a production environment
* it will be faster to set up a new LDAP server with the proper settings for your production environment than to base your server on this demo and trying to "clean up" afterwards
* Also, no user-friendly tool to manage LDAP settings is installed by default.
</note>
+ ===== Setting up the servers =====
+ ==== ldap1.xgo.example.com ====
+
<file - preseed_ldap>
+ # There are two sets of parameters you can use as the append line:
+ # The minimum required is:
+ # hostname=ldap1 domain=x2go.example.com
+ # url=http://192.168.0.224/preseed_ldap1
+ # (all in one line, and without the leading "#" marks)
+ # If you only use these, you will have to answer a few questions
+ # - mainly regarding country, keyboard and locale - interactively.
+ # For a fully automated installation, add these parameters
+ # *in addition to the ones listed above*
+ # (again, all in one line, and without the leading "#" marks):
+ # priority=critical netcfg/use_dhcp=true netcfg/choose_interface=eth0
+ # debian-installer/locale=de_DE keymap=de-latin1
+ # debian-installer/locale=de_DE.UTF-8 DEBCONF_DEBUG=5
+
+ # We prefer to stay anonymous ;-)
+ popularity-contest popularity-contest/participate boolean false
+
+ # Load non-free firmware, if possible
+ d-i hw-detect/load_firmware boolean true
+
+ # Repository
+ # CHANGE THIS to your nearest mirror
+
d-i mirror/http/hostname string ftp.de.debian.org
+ d-i mirror/http/directory string /debian/
+ d-i mirror/suite string jessie
+
+ # Post install APT setup
+ d-i apt-setup/uri_type select d-i
+ # CHANGE THIS to your nearest mirror
+ d-i apt-setup/hostname string ftp.de.debian.org
+ d-i apt-setup/directory string /debian/
+ d-i apt-setup/another boolean false
+ d-i apt-setup/security-updates boolean true
+ d-i finish-install/reboot_in_progress note
+ d-i prebaseconfig/reboot_in_progress note
+
+ d-i apt-setup/non-free boolean true
+ d-i apt-setup/contrib boolean true
+
+ # Network-related settings
+ # Every hostname and domain name assigned via DHCP
+ # takes priority over these values
+ # however, if they are left empty, the installer will query them interactively
+ d-i netcfg/get_hostname string ldap1
+ d-i netcfg/get_domain string x2go.example.com
+ d-i
netcfg/disable_dhcp boolean false
+ d-i mirror/http/proxy string
+ d-i netcfg/choose_interface select eth0
+ d-i netcfg/wireless_wep string
+
+ # Partitioning and Bootloader settings
+ d-i partman-auto/disk string /dev/sda
+ d-i partman-auto/method string regular
+
+ # Do not use UUIDs in fstab (and not in bootloader config, either)
+ d-i partman/mount_style string traditional
+
+ # This silences an interactive "are you sure?" query
+ d-i partman/confirm boolean true
+ d-i partman-partitioning/confirm_write_new_label boolean true
+ d-i partman/choose_partition select finish
+ d-i partman/confirm_nooverwrite boolean true
+ d-i partman-lvm/device_remove_lvm boolean true
+ d-i partman-lvm/confirm boolean true
+ d-i partman-md/device_remove_md boolean true
+ d-i partman-md/confirm boolean true
+
+ d-i partman-auto/choose_recipe select atomic
+ #d-i partman-auto/choose_recipe select home
+ #d-i
partman-auto/choose_recipe select multi
+
+ d-i debian-installer/add-kernel-opts string nomodeset gfxpayload=vga=normal
+
+ d-i grub-installer/only_debian boolean true
+ d-i grub-installer/with_other_os boolean true
+ d-i grub-installer/bootdev string /dev/sda
+
+ # Country, keyboard, locale settings - CHANGE THIS
+ d-i debian-installer/locale string de_DE
+ d-i debian-installer/keymap select de-latin1
+ d-i debian-installer/keymap string de-latin1
+
+ d-i languagechooser/language-name-fb select German
+ d-i countrychooser/country-name select Germany
+ d-i console-setup/layoutcode string de_DE
+ d-i debian-installer/locale select de_DE.UTF-8
+
+ # Time zone settings - CHANGE THIS
+ d-i tzconfig/gmt boolean false
+ d-i tzconfig/choose_country_zone/Europe select Berlin
+ d-i tzconfig/choose_country_zone_single boolean true
+ d-i time/zone select Europe/Berlin
+ d-i clock-setup/utc boolean true
+
d-i mirror/country string manual
+ d-i clock-setup/ntp boolean false
+
+ # Root Account
+ # this says "start" in MD5 - CHANGE THIS
+ d-i passwd/root-password-crypted passwd $1$ekONVtC5$rTbjMaMA6cqFpbWu7UXWN.
+
+ # Do not create a regular user account when installing a server
+ d-i passwd/make-user boolean false
+ #d-i passwd/user-fullname string Local User
+ #d-i passwd/username string localuser
+ #d-i passwd/user-password-crypted passwd $1$ekONVtC5$rTbjMaMA6cqFpbWu7UXWN.
+
+ # Task and Package Selection
+ tasksel tasksel/first multiselect ssh-server
+ d-i pkgsel/include string ssh \
+ console-setup \
+ debconf-i18n \
+ dnsmasq \
+ dnsmasq-base \
+ ldap-utils \
+ libnss-ldapd \
+ libpam-ldapd \
+ mc \
+ migrationtools \
+ nslcd \
+ ntp \
+ rsync \
+ screen \
+ slapd \
+ sysvinit-core \
+ sysvinit-utils \
+ unattended-upgrades \
+ vim
+
+ # Commands to be executed after package installation
+ # Note: The only way to insert comments below is
to add an "echo COMMENT"
+ d-i preseed/late_command string echo "COMMENT: Begin Post-Install Setup/Config" ;\
+ echo "COMMENT: Configure SSH" ;\
+ mkdir -p /target/root/.ssh ; \
+ chmod 700 /target/root/.ssh ;\
+ touch /target/root/.ssh/authorized_keys ; \
+ chmod 600 /target/root/.ssh/authorized_keys ;\
+ sed -i '/^PermitRootLogin/c PermitRootLogin without-password' /target/etc/ssh/sshd_config ;\
+ echo "COMMENT: Insert your own SSH public key here" ;\
+ echo "COMMENT: User echo -n as shown so multiline echo doesn't add Newlines when appending" ;\
+ echo -n 'ssh-rsa AAAAB3blahblahblah' >>/target/root/.ssh/authorized_keys ;\
+ echo -n 'blahblahblahOQ== SSH Key Comment here' >>/target/root/.ssh/authorized_keys ;\
+ echo "COMMENT: Fixing shortcomings of netcfg here..." ;\
+ sed -i "s/$(cat /etc/hostname)/ldap1/" /target/etc/hosts ;\
+ echo "ldap1" >/target/etc/hostname ;\
+ echo "COMMENT: Fix ends here." ;\
+ echo "COMMENT: This is said to be required for LDAP UID/GID
sync." ;\
+ sed -i '/^NEED_IMAPD/cNEED_IMAPD=yes' /target/etc/default/nfs-common ;\
+ echo "COMMENT: These are our IP-FQDN-Hostname mappings that will be picked up by dnsmasq" ;\
+ echo -e '192.168.154.146\tldap1.x2go.example.com\tldap1'>> /target/etc/hosts ;\
+ echo -e '192.168.154.147\tnfs1.x2go.example.com\tnfs1'>> /target/etc/hosts ;\
+ echo -e '192.168.154.148\tx2gobroker1.x2go.example.com\tx2gobroker1'>> /target/etc/hosts ;\
+ echo -e '192.168.154.149\tx2goserver1.x2go.example.com\tx2goserver1'>> /target/etc/hosts ;\
+ echo -e '192.168.154.150\tx2goserver2.x2go.example.com\tx2goserver2'>> /target/etc/hosts ;\
+ echo -e '192.168.154.151\tpg1.x2go.example.com\tpg1'>> /target/etc/hosts ;\
+ echo "COMMENT: This fixes some annoyances regarding UTF-8 and MidnightCommander" ;\
+ echo "export LANG=de_DE.UTF-8" >>/target/etc/bash.bashrc ;\
+ echo "export NCURSES_NO_UTF8_ACS=1" >>/target/etc/bash.bashrc ;\
+ echo "COMMENT: This is for homedir autocreation." ;\
+ echo -e
'session required\tpam_mkhomedir.so\tskel=/etc/skel umask=0022' >>/target/etc/pam.d/common-session ;\
+ echo "COMMENT: This is so LDAP users are added to local groups when logging in to a remote system." ;\
+ echo -e "auth\trequired\tpam_group.so\tuse_first_pass" >>/target/etc/pam.d/common-auth ;\
+ echo "common-auth;*;*;A10000-2400;users,x2gousers,x2gobroker-users" >>/target/etc/security/group.conf ;\
+ echo "COMMENT: This makes sure error messages during bootup remain on screen." ;\
+ sed -i -e '/^1/ s/getty/getty --noclear/' /target/etc/inittab ;\
+ echo "COMMENT: This removes the cdrom entry from sources list (left behind by installer)" ;\
+ sed -i '/^#* *deb cdrom/d' /target/etc/apt/sources.list ;\
+ echo "COMMENT: This patches rc.local so the following set of commands is run" ;\
+ echo "COMMENT: exactly *once* - at the first boot after installation." ;\
+ echo "COMMENT: First, remove the 'exit 0'" ;\
+ sed -i '/^exit 0/d' /target/etc/rc.local ;\
+ echo "COMMENT:
This automagically injects all local users, groups, etc. into LDAP" ;\
+ echo "COMMENT: Yes, this is a mess, ugly, a dirty hack, etc - but remember, this isn't" ;\
+ echo "COMMENT: about maintainability - it is to get a small, simple, static LDAP setup up" ;\
+ echo "COMMENT: and running so you don't have to bother with LDAP when all you want to do is" ;\
+ echo "COMMENT: test-drive the broker setup." \;
+ echo '(cd /usr/share/migrationtools && LDAP_BASEDN="dc=x2go,dc=example,dc=com" LDAPHOST="ldap1" LDAP_BINDDN="cn=admin,dc=x2go,dc=example,dc=com" LDAP_BINDCRED="start" LDAP_PROFILE="no" LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh || true)' >>/target/etc/rc.local ;\
+ echo "COMMENT: This is the cleanup job for the LDAP migration, so it doesn't run more than once." ;\
+ echo 'sed -i -e "/LDAP/d" /etc/rc.local' >>/target/etc/rc.local ;\
+ echo "COMMENT: This is so /bin/sh points to /bin/bash instead of /bin/dash" ;\
+ echo "COMMENT: As the
standard shell of our LDAP users is set to /bin/sh." ;\
+ echo 'dpkg-reconfigure -pcritical dash' >>/target/etc/rc.local ;\
+ echo "COMMENT: This is the cleanup job for the dpkg-reconfigure call, so it doesn't run more than once." ;\
+ echo 'sed -i -e "/dpkg/d" /etc/rc.local' >>/target/etc/rc.local ;\
+ echo "COMMENT: Finally, rc.local must terminate with 'exit 0' again." ;\
+ echo 'exit 0' >>/target/etc/rc.local ;\
+ echo "COMMENT: Now we set the default shell, create groups, create users, and add them to groups" ;\
+ in-target useradd -D -s /bin/bash ;\
+ in-target addgroup x2gobroker-users ;\
+ in-target addgroup x2godesktopsharing ;\
+ in-target addgroup x2gousers ;\
+ in-target addgroup group-shadow ;\
+ in-target addgroup group-a ;\
+ in-target addgroup group-b ;\
+ in-target useradd user1 -G users,x2gousers,x2gobroker-users,group-shadow ;\
+ in-target useradd user2 -G users,x2gousers,x2gobroker-users,group-a ;\
+ in-target useradd user3 -G
users,x2gousers,x2gobroker-users,group-a ;\
+ in-target useradd user4 -G users,x2gousers,x2gobroker-users,group-b ;\
+ in-target useradd user5 -G users,x2gousers,x2gobroker-users,group-b ;\
+ echo "COMMENT: Users will need passwords to log in, so we set them as well." ;\
+ echo "user1:start" | chroot /target /usr/sbin/chpasswd ;\
+ echo "user2:start" | chroot /target /usr/sbin/chpasswd ;\
+ echo "user3:start" | chroot /target /usr/sbin/chpasswd ;\
+ echo "user4:start" | chroot /target /usr/sbin/chpasswd ;\
+ echo "user5:start" | chroot /target /usr/sbin/chpasswd ;\
+ echo "COMMENT: Finally, take out the trash (yes, this includes systemd)" ;\
+ in-target apt-get purge -y systemd systemd-shim ;\
+ in-target apt-get autoremove --purge -y ;\
+ in-target apt-get clean ;\
+ echo "End Post-Install Setup/Config"
+
+ # Shut down and power off after installation
+ d-i debian-installer/exit/poweroff boolean true
+
+ # preseed key-value pairs for the packages we intend to
install
+ dash dash/sh boolean false
+ exim4-config exim4/no_config boolean true
+ libnss-ldapd libnss-ldapd/nsswitch multiselect group, hosts, netgroup, passwd, shadow
+ libnss-ldapd libnss-ldapd/clean_nsswitch boolean false
+ libpam-runtime libpam-runtime/profiles multiselect unix, ldap
+ mdadm mdadm/autostart boolean false
+ mdadm mdadm/mail_to string root
+ mdadm mdadm/initrdstart string all
+ mdadm mdadm/initrdstart_notinconf boolean true
+ mdadm mdadm/autocheck boolean true
+ mdadm mdadm/start_daemon boolean true
+ nslcd nslcd/ldap-bindpw password
+ nslcd nslcd/ldap-sasl-secprops string
+ nslcd nslcd/ldap-sasl-krb5-ccname string /var/run/nslcd/nslcd.tkt
+ nslcd nslcd/ldap-sasl-authcid string
+ nslcd nslcd/ldap-binddn string
+ nslcd nslcd/ldap-cacertfile string /etc/ssl/certs/ca-certificates.crt
+ nslcd nslcd/ldap-sasl-authzid string
+ nslcd nslcd/ldap-uris string ldap://ldap1.x2go.example.com/
+
nslcd nslcd/ldap-sasl-mech select
+ nslcd nslcd/ldap-auth-type select none
+ nslcd nslcd/ldap-base string dc=x2go,dc=example,dc=com
+ nslcd nslcd/ldap-sasl-realm string
+ nslcd nslcd/ldap-reqcert select
+ nslcd nslcd/ldap-starttls boolean false
+ slapd slapd/password1 password start
+ slapd slapd/internal/generated_adminpw password start
+ slapd slapd/password2 password start
+ slapd slapd/internal/adminpw password start
+ slapd slapd/purge_database boolean false
+ slapd slapd/invalid_config boolean true
+ slapd slapd/password_mismatch note
+ slapd slapd/domain string x2go.example.com
+ #slapd slapd/upgrade_slapcat_failure error
+ slapd slapd/unsafe_selfwrite_acl note
+ slapd slapd/dump_database select when needed
+ slapd shared/organization string X2Go LDAP Example Environment
+ slapd slapd/backend select MDB
+ slapd slapd/no_configuration boolean false
+ slapd slapd/allow_ldap_v2 boolean false
+
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
+ slapd slapd/move_old_database boolean true
+
+ </file>
+
+
--
This mail was generated by DokuWiki at
http://wiki.x2go.org/
More information about the x2go-commits
mailing list