Wednesday, May 18, 2011

Active Directory and BackupPC, continued...

I originally wrote this post a long time ago. Looks like around 5/18/2011. While I never finished it, I came across it recently and think it deserves to at least be put out there to provide a bit of info that may help, rather than languishing in a draft. It may not end in a cliffhanger, but hopefully it will get you somewhere.

Well, in the continuing saga of BackupPC and Active Directory, the old BackupPC server that worked fine for so long finally died, prompting a new one.

Ok, so it didn't really die. The BackupPC box at my work has been a virtual machine (under VirtualBox in Win2k3 Server) that has had it's fair share of quirks. Yes, I'm not running VMWare or something high end, but it did the job, even though it needed to be restarted once a month or so. Mainly due to disk and network driver issues.

So, since we're getting a new server and the current one running the VM is being repurposed, I decided to pull an older P4 desktop out of the back to finally get a dedicated server running which should be MUCH more efficient and have less network/disk related issues. Obviously, this requires me to reinstall the whole mess.

I'm going to do it again this time, and do a better job of documenting it. I'll also be using the latest Ubuntu, Natty Narwhal, 32-bit Server edition, to do this. I'll walk through the steps of installing Linux, getting the machine on the domain using the newer Likewise-Open package, getting Apache up and happy with AD authentication, and then hook BackupPC into the whole mess. I'm going to have to do some interesting stuff with getting the pool over, though I may just say screw it and dump the pool since the data isn't that important. I will need to copy over the config file from the old BackupPC install though, so I don't have to spend another 5 hours configuring hostnames and excludes.

This post will be edited several times over the coming days, because it's going to take me a bit to properly do this.

Step 1: Installing Linux
The obvious first step here is to install Ubuntu on the machine. I'm using the normal Ubuntu Server 32-bit install disc from 11.04, Natty Narwhal.
The first (relevant) thing it's going to ask you is the hostname. I'm on a Big Corporate network, so as an IT Manager at a location, I only have access to do things to my location's OU. Unfortunately, when you join a computer to a domain without specifying where to put it, if there's no object, it tries to create it in the big "Computers" area, which I don't have access to. So what I do is create the computer object in my OU, and then make the hostname of the Linux box the same.
There IS a way to have Likewise-Open create in a specific OU, but I haven't played with that, and so I'm just explaining how I do it.
So, set the hostname to your created computer object's name. 

Next, you'll be asked what groups of packages to install. I choose OpenSSH (necessary to be able to SSH into the server) and Samba (for pulling data from desktops)

Step 2: Setting up Likewise-Open
The next thing to do after you get the machine up and running is to logon to it and get all the updates and such, make sure things are up to date. Then, install the Likewise-Open package.
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install likewise-open
 The setup will ask you a question during the config of likewise-open regarding the Kerberos configuration: 
  • Default Kerberos version 5 realm This is (as the dialog explains) what the system will default to if someone tries to do a domain login as "person" rather than "domain\person". Basically, the default logon domain. This should probably be the same FQDN as the domain you're joining to.
 On my install, towards the end it says "Importing Registry Configuration", which sits there for awhile. I hit enter a couple times after a few minutes and it seems to complete; I'm not sure why it waits until enter is hit. Might be a little bug in the install script.

The Likewise-Open install guide has a few things that you need to do to prep the system for joining to the domain. I'm going to only run through a couple, but if you have issues definitely check that as it has more info on DNS and some other important things which may be already configured in Ubuntu, as the install guide is aimed at people loading the file directly onto a bare Linux system.
  • Check /etc/nsswitch.conf and make sure that the line hosts: is followed by 'files dns'. In Ubuntu 11.04, this is the default, so just double-check.
  • Make sure that /etc/resolv.conf contains nameservers that can perform SRV lookups for the domain you're trying to join. DHCP at my company already has internal nameservers in it, and provides the proper domains, so I don't have to do anything here. If you're using static IP and such, make sure that your nameserver can do SRV lookups.
  • Make sure you have your network set up correctly, i.e. primary gateway, firewall on the machine (if any), DNS lookups resolve properly to your machine name, etc. There is a laundry list of things to check on the Likewise-Open guide, definitely give it a once over before you start trying to join in case there's anything glaringly wrong. 
  • Next, we need to check the /etc/krb5.conf file to make sure it has the right domain info in it. You should see your domain listed as the default realm at the top of the file.
Step 3: Joining to the domain
This is the easy part. From the command prompt, enter the following:
 $ sudo domainjoin-cli join DomainAdmin
where '' is your domain, and 'DomainAdmin' is a user that has administrative rights to join a computer.
If it works out, it should take a little while after entering the password to complete the join and do all the good configuration type stuff necessary to allow the machine to authenticate users via AD.

If successful, after it's finished you'll see a message telling you to reboot the machine or restart all services. I'm going to reboot, cause this isn't a high availability server or anything.

After the reboot, you can test the connection by attempting to logon with a domain user and password at the linux logon prompt. You should see "Created user: UserName" and it should log you on. It will even tell you if your password is about to expire!

As you can see, I've had a much easier time joining to the domain than I did previously, though most of that might just be from me not doing things correctly the first time around.

Next, we'll look at installing BackupPC and getting it working on the domain!

BackupPC: Getting that thang installed
Okay. Ubuntu server has version 3.2.0 of BackupPC, and while it's not the latest (3.2.1) there's not too much of a difference. I'm just going to use the one that comes with it for now.

$ sudo apt-get install backuppc
This will get backuppc installed. It installs x11 and a bunch of unnecessary stuff, but you just hafta kinda live with it for now. I haven't found a way to install it via APT without it.

Make sure you have Apache installed properly, it should have installed as a requisite of BackupPC. 

Now there's a couple ways to authenticate users via AD. One is via the LDAP module, which is nifty, but you need to have a user account and password that the server can use to lookup users in the domain. I don't like that, so I'm going to use Kerberos.
An interesting side-effect of Likewise-Open is that it seems to generate the keytab file for you! This makes config much easier, as we don't need to bother with a lot of stuff. You can check for the existance of it, it should be in /etc/krb5.keytab. You can also check the contents with this command:
$ sudo klist -k /etc/krb5.keytab
This will show you a list of all the bits inside it, you should see several lines listing your computer's name as well as the domain you've joined.
Now we need to make it so that Apache can read the file, as it's modules will need to see it to authenticate to the network.
$ sudo chmod 740 /etc/krb5.keytab
$ sudo chgrp www-data /etc/krb5.keytab
Now I'm not condoning this as the most secure way to do things, but I'm in somewhat of a low-security environment because I'm behind copious firewalls and such. You might want to come up with a better way to secure the keytab.

(I copied the following section from my previous post)

Now we need to edit the backuppc Apache configuration to tell Apache how to authenticate users.
The file to edit is located in /etc/apache2/conf.d/backuppc.conf
This is how my file has been setup. I have commented out the four lines at the bottom there, leaving the require valid-user line in place. I added the six lines at the top.
AuthType Kerberos
AuthName "Kerberos Login"
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate On
KrbMethodK5Passwd On

# AuthGroupFile /etc/backuppc/htgroup
# AuthUserFile /etc/backuppc/htpasswd
# AuthType basic
# AuthName "BackupPC admin"
require valid-user