Gavin Thomas Garrad Stepan Maluchev DATO: 15.05.2015
Contents
1. o a 4 A 4 VL NN AA ET AT 5 A REA AAA AAA AAA A p A koq 8 5 2 Requirements 5 253 264 ada a ss s esos is da ESE ns nis 8 A E a Bo eB a 10 3 LDAP area TETTERE kn se en 10 EEE EE BZ hb ae ee 10 821 WS PAM osm sog Sad Gara S San Ge eh CATA A 10 rea ken sn kO ap 10 EE EE EE 11 3 3 Explanation of the package libpam ldapd oo kr r r 12 3 3 1 Whatis libpam ldapd o o oo 12 8 3 2 Packets SEE EE EE SEE EEE 12 80 3 3 UK EE EE 13 3 4 Explanation of the package libpam ldap 2 0 0 0 r 15 34 1 Packet scontent a coo a A 13 042 MP ez a Zoe S a E AER ARAS EA 15 1v OurBox A as h QQ EE S WEEE 16 AE A 16 35 2 Example sous eb aa 16 AR Hom GEM Foe EON HOARE TEEN 17 3 6 1 Differentcommands Stare Sark Slee Svar ks 18 ob eb Oh SS EE ba a EERE 18 3 7 1 Whatis flux box a do doe ESR ERR EE DER ES HS 18 oh Bok SU p h S oc Bee NE 4 19 g pk GA BESS ZEEER SELES REEL ERE S 20 3 8 1 Whatis an hypervisor sva s k Ree RE REE OSES 20 EE PENNE y ee ee ua SQ b 21 AI 22 3 9 Prol sveve a nl Ao he b e ow h Bote S W 23 EE ao ed he PB sh aa 23 3 10 1 Immutable osos 23 8 10 2 Mult attach gue da 9 h r e AE 23 AAA 24 EEE EE puk 3 S RES 24 PE Ge Ga e a Gone SU SS b s A 25 41 o s os k RRR ka se ke ee w ke 25 ALL Pr work sacs wate Be Ge be Sark Bere be W s SE Q S Re QUR a 25 p Gb oR DES CERES EG 272. Participants Gavin Thomas Garrad Stepan Maluchev Supervisor Erik Heljm s Employer H gskolen i Gj vik Contact person Thommas Kimmerich Keywords Virtualisation LDAP Window Manager Ubuntu Pages 125 Appendixes 15 Availability Open Short description of the main project The Cisco lab at HiG consist of old computers running on Windows 7 and is available for all students who has access to the lab On these machines students has full administrator rights which means that the students can do what ever they want on them while the purpose of these machines are to be used with Cisco equipment for configuration and testing The project s goal is to make a prototype where the students does not have full adminis trative rights on the host machine but rather on the virtual machines on the host The students will have their own test domains which will not effect the other students in any way The contents of the report has been written in such way that for those who are going to further develop this project will understand our choices based on theoretical and practical reasons 11 OurBox Preface This bachelor project has been a very interesting and challenging project We have learned a lot of new things and have now a much better understanding on how Ubuntu virtualization Vir tualbox KVM Fluxbox LDAP AD and Google Search works The abil
3. 1 do os Sos Soses done if Sme Sadmin then for eachOS in S os do osRegEx eachOSs knownVMs VBoxManage list vms grep e SosRegEx awk print 1 cut d 22 DIRECTORY VirtualBox VMs S eachOS if knownVMs eachOS then if d SDIRECTORY then rm fr S DIRECTORY Fi VBoxManage createvm name eachOS ostype Ubuntu 64 register VBoxManage modi fyvm SeachOS memory 1024 yram 256 cpus 2 usb on nicl bridged bridgeadapterl ethl VBoxManage storagectl eachOS name satal add sata VBoxManage storageattach eachOS storagectl satal port 0 device 0 type hdd medium home admin Desktop os S SeachOS vdi mtype immutable Fi done fi 114 OurBox 38 39 40 41 D nslcd conf etc nslcd conf nslcd configuration file See nslcd conf 5 for details The user and group nslcd should run as uid nslcd gid nslcd The location at which the LDAP server s should be reachable uri ldap 128 39 140 10 The search base that will be used for all queries base ou student dc hig dc no The LDAP protocol version to use ldap_version 3 The DN to bind with for normal lookups binddn cn 120683 ou 12HBWUA ou student dc hig dc no bindpw Ourbox92 The DN used for password modifications by root rootpwmoddn cn admin dc example dc com SSL options ssl off ftls_regcert never The search scope scope su
4. 3 3 2 Packet s content libpam ldapd package consists of several other packages and modules which let a Unix system to perform remote authentication and get its identity via an LDAP server The package consist of 1 Idap utils Contains all the client programs required to access an LDAP server The most common is dapsearch which is used to search and display entries for a overview of all tools available visit 1 1 2 libnss Idapd Contains NSS Name Service Switch module for using LDAP as a naming service This means that the LDAP server can be used to retrieve the same information about user account group host name alias or netgroup which can be find in etc must be flat or NIS files 3 libpam Idapd This is a PAM module which provides password management authorization and authentication based on credentials stored in an LDAP server 12 4 nscd Is a Name Service Cache Deamon which handles passwd group and host lookups This deamon caches this information and uses it in other queries 5 nsled Is a deamon for NSS and PAM lookups when used against an LDAP server 12 ON A OQ Dn OurBox 3 3 3 nslcd conf All the necessary configurations for nslcd daemon is configured in etc nsled conf The nslcd conf also consist of what information the nsled daemon should retrieve from the LDAP server Basic configuration and explanation There are six configuration attributes in the configuration file which must be c
5. U1 YUM JOM OT vo 6z ST YO 6Z PAM ST VO 6Z PIM s ep 0 i10da4 ay JO UO Pa puOdaS 6 om ST v0 8Z ANL ST YO TT PAM s ep s uop JUOd34 ay JO UOIIP3 PUOJAS 3Y 190 8 ST vO TZ NL STYO ST PIM s ep s sexi pue S3ulls 1 1i sn amp L ST Y0 TZ nl ST r0 80 PAM s ep OT uoljeaJ9 dnois pue Su puey 1asn 9 v0 LO ST Y0 LO 9NL ST HO LO ANL s ep 0 Yoda ay JO uolnlIp 1s1ld g S ST t0 0 nl ST vO TO PIM s ep s Juoda ay JO Uuol1lIp 1s1I YI YUM LOM r go T STEO TESML ST EO TE NL sAep 0 i uop aq plnous uone18 lul dvq1 3YL ST EO TE PNL ST EO ST PIM S PPOT xoqxn y uone onu ulne dvq13u1 31le48 1lul T epug ST SO YT NUL ST 0 8T PAM s epzt pue epsinul nd Oda 34 YUM JLOM T SO ST SOTT VOLT vO ET 0 0E 0 9T 0 cO SPOIN 0 TTO Kew TO lay TO YJeEW TO ysiul4 HEIS uoneINg SWEN YSEL ysel al OurBox 2 Requirements To get a better understanding of our work and thesis the requirements have been important for us to understand what Thomas wants It took some for us to understand what he really wanted Here is the requirements 1 a RADA S 14 15 16 17 18 D GE J RN ID If possible no OS will be running on the hosts only a hypervisor which boots up No access to the hypervisor by the users A list of virtual machines can be start by the users The virtual machines must be able to have accounts users Connect with HIG LDAP fo
6. 12 13 14 15 16 17 18 19 Nn T U N e IRN OurBox submenu VirtualBox exec VirtualBox 1 use bin virtualbox lt usr share pixmaps virtualbox xpm gt end end restart Restart exit Exit end We also had to change the keys file where we removed the option for opening a terminal and a dialog for running other programs Listing 4 14 Removed code in Keys open a terminal Modi Fl Exec x terminal emulator open a dialog to run programs Mod1 F2 Exec fbrun The administrators Fluxbox includes the same files as a ordinary user but there are two more lines in the fluxbox menu of the administrator home username fluxbox Listing 4 15 Fluxbox administrator begin fluxbox include etc X11 fluxbox fluxbox menu submenu Switch Environment exec Unity fgnome terminal x sudo mv usr share ubuntu desktop usr share xsessions exec Fluxbox gnome terminal x sudo mv usr share xsessions ubuntu desktop usr share end end Line 4 Moves ubuntu desktop back to its original folder usr share xsessions What this means is that the administrator has the opportunity to go back to regular Ubuntu Unity so that the administrator gets a familiar desktop to work with when he needs it 35 Da QU N e OurBox Line 5 What this does is move the ubuntu desktop from the usr share xsessions ubuntu desktop to another location wha
7. 4 1 3 Configuring LDAP Mapping 22 av rav rn rea 29 4 1 4 Configuring LDAP Mapping mounting directory 31 4 1 5 Home directory with a desktop environment 32 4 2 Desktop Environment s 24 226 245 Rete A s s s ss es 33 42 1 Unity greet r s acses s A a ans w AA AA a 33 e a O 33 EE EE e SQ QO o e g oe dp S q t 36 Dae Cas Cree NN 36 4 4 1 KVMimplementation 2 220020004 36 ERA a 39 TF ge Std y ARA AAA Oe RO Re 41 4 5 1 Conclusion of the KVM e rea 41 pak Goh AE rd Se 42 S Endin ATA 44 OurBox 5 1 Requirements and their Results o 44 5 2 Criictothethesis _ _ A 47 5 3 FEuturework a aa nis nis ns ns s it s 47 CEA EA a SUQ S Sus SE AE S ES 48 54 1 Introduction yeaa Sees a 48 5 4 2 Oreanize coe ue ees eka as kasaq sg s ass sas nk ass sa 48 bd aa 48 ENE 48 Bibliography 22 29 korka sra s es EE EERE ES ES 49 PERRAS AR AR a A 52 EEE EE io ico 96 B User Mama 103 EEE NR o OE SE EOS eS a 108 C l _afterlnstallation sh PEPE 109 CZ T unMesh 245 sa 2404 a oe ku a n e EME n e be Sak b e d 110 ES verifyNewOSes sh _ _ booed be AE 112 C 4 _installVirtualBox sh se 113 C 5 defaultVMScript sh a 114 ots s A Ge SG al a Ge SU TE SEE 115 E Fluxboxconfig oo sad Seks ERR ERD a ee ee ba 11
8. OnWindow Modl Mouse3 MacroCmd Raise Focus StartResizing NearestCorner OnLeftGrip Movel StartResizing bottomleft OnRightGrip Movel StartResizing bottomright alt middle click to lower the window OnWindow Modl Mouse2 Lower control click a window s titlebar and drag to attach windows OnTitlebar Control Mousel StartTabbing double click on the titlebar to shade OnTitlebar Double Mousel Shade left click on the titlebar to move the window OnTitlebar Mousel MacroCmd Raise Focus ActivateTab OnTitlebar Movel StartMoving middle click on the titlebar to lower OnTitlebar Mouse2 Lower right click on the titlebar for a menu of options OnTitlebar Mouse3 WindowMenu alt tab Modl Tab NextWindow groups workspace current Modl Shift Tab PrevWindow groups workspace current cycle through tabs in the current window Mod4 Tab NextTab Mod4 Shift Tab PrevTab go to a specific tab in the current window Mod4 1 Tab 1 Mod4 2 Tab 2 Mod4 3 Tab 3 Mod4 4 Tab 4 118 OurBox 54 56 57 58 59 60 61 66 67 68 69 70 7 73 74 76 7 78 79 80 81 83 84 86 87 88 89 90 91 92 93 94 96 97 98 99 100 101 102 103 104 105 106 Mod4 5 Tab 5 Mod4 6 Tab 6 Mod4 7 Tab 7 Mod4 8 Tab 8 Mod4 9 Tab 9 open a terminal Modl Fl Exec x terminal emulator open a dialog to run programs Modl F2 Exec fbrun volume settings u
9. bridgeadapter1 eth1 93 OurBox m Notice that when configuring the VM to bridged mode we must use eth1 or higher eth0 will not work e Installing VirtualBox 4 3 version with extentson pack A script has been made Source o Install VirtuallBox https www virtualbox org wiki Linux_Downloads o Install extension pack https www howtoforge com vboxheadless running virtual machines with virtua Ibox 4 3 0n a headless ubuntu 14 04 lts server e VBoxManage modifyvm navnp vm draganddrop bidirectional e VBoxManage modifyvm navnp vm clipboard bidirectional clipboard needs guest additions installed on the vm 27 04 15 e Continuing writing the report o Stepan Authentication o Gavin Desktop Environment e http texblog org 2011 06 11 latex syntax highlighting examples for code in the latex 29 04 15 e Continuing writing on the report o Stepan Authentication Understanding LDAP files o Gavin Desktop Environment Hypervisor 30 04 15 e Continuing writing on the report o Stepan Authentication Understanding LDAP files o Gavin Desktop Environment Hypervisor 01 05 15 e Continuing writing on the report o Stepan Authentication Understanding LDAP files 94 OurBox o Gavin Desktop Environment hypervisor 95 OurBox A 1 Meetings 14 01 2015 Referat fra motet med Thomas 09 30 10 15 Snapshot skal v re mulig for alle elevene Hva elevene skal m te p nr PCen booter o
10. cdc iseage org tutorial pam ldap authentication active directory freebsd o override O Uncomment the following Line to override the default Login shell nss_override_attribute_value LoginSheLL usr Local bin bash e John said that we need to figure out how we can map the uidNumber on the host to get it s value from msSFU30UidNumber in the AD o This could be done in the Idap conf file o Also we need to override the loginShell e Repport http en wikipedia org wiki Virtualization Research 15 04 15 83 OurBox How PAM perform an authentication and the steps alongside http en wikipedia org wiki Linux_PAM 16 04 15 Trying to map the right attributes in Idap conf when using getent passwd 120683 Interesting when we write getent passwd ourbox then it searches locally for the username but when we search in the LDAP directory then this attribute is named uidNumber In the Idap conf we added this line nss_map_attribute uidNumber sAMAccountName and now using Wireshark we get success with the lookup However the command returns nothing The request we send with the getent passwd 120683 command is asking the LDAP server for 10 items will we only receive 5 attributes Frame 9 287 bytes on wire 2296 bits 287 bytes captured 2296 bits on interface 0 Ethernet II Src 98 90 96 a8 a1 34 98 90 96 a8 a1 34 Dst Cisco 72 44 21 00 13 7f 72 44 21 Internet Protocol Version 4 Src 1
11. n ubuntu i connect qemu session vepu 1 r 1024 disk path VirtualMachines ubuntu i qcow2 format qcow2 import accelerate virsh connect qemu session destroy ubuntu i fi fi done fi Line definition Line 3 This script is executed as the user not as root therefore the username is stored in a variable Line 4 The administrator username is stored in its own variable 37 OurBox Line 6 If the user is anyone else besides the ourbox admin then enter the if statement Line 7 Checks if the default virtual machines folder exists The virtual machines will be stored in this folder Line 8 If the folder doesn t exists then create a new one in the user s home directory Line 10 In this example we create a loop which will be executed 5 times and create virtual machine containers Line 11 Checks if the qcow2 image exists if not then enter the statement Line 12 Creating a qcow2 image of the original ubuntu img which is found in the ourbox s home directory The loop will create 5 qcow images named ubuntul qcow2 ubuntu2 qcow2 etc Line 13 Enter the statement only the first time the for loop runs This statement only creates one default mapped VM that will automatically be displayed when the user logs in Line 14 Create a virtual image with the specific attributes This image will be visible for the user in the graphical user interface virt manager Since this is a user which i
12. Here is it where an administrator can make the configuration even more tailored to the specific user 1 apps 7 overlay 2 keys 8 pixmaps folder 3 backgrounds folder 9 slitlist 4 init 10 startup 5 menu 11 styles folder 6 lastwallpaper 12 windowmeu The startup file is whats start fluxbox this is also the file where you can start applications at startup of the machine The startup file is generated by the usr bin startfluxbox 18 3 8 Hypervisor 3 8 1 What is an hypervisor A hypervisor is a virtual machine manager which manage the host hardware to allow different operating systems on a host machine to share the same hardware 19 20 OurBox There are a lot of different hypervisors on the market Just to mention some 1 KVM 2 Xen 3 VMware 4 Virtualbox There are also different types of hypervisors there are type 1 hypervisor also known as bare metal hypervisor A type 1 hypervisor is running on the hardware itself where resources are provided by the hypervisor while type 2 is running on the host operating systems 3 8 2 KVM KVM Kernel based Virtual Machene is a virtualization solution that turns Linux into a hyper visor KVM itself is a hypervisor which doesn t perform any emulation but what it does is that 1t provide near native performance to the guest operating system For making this hypervisor to work with full power processors with hardware virtualization extension is requi
13. Mod4 F4 SendToWorkspace Mod4 F5 SendToWorkspace Mod4 F6 SendToWorkspace Mod4 F7 SendToWorkspace Mod4 F8 SendToWorkspace Mod4 F9 SendToWorkspace Mod4 F10 SendToWorkspace Mod4 F11 SendToWorkspace Mod4 F12 SendToWorkspace CoNo S Q N P send the current window and change to a specific workspace Control Mod4 Fl TakeToWor Control Mod4 F2 TakeToWor Control Mod4 F3 TakeToWor Control Mod4 F4 TakeToWor Control Mod4 F5 TakeToWor Control Mod4 F6 TakeToWor Control Mod4 F7 TakeToWor Control Mod4 F8 TakeToWor Control Mod4 F9 TakeToWor Control Mod Control Mod Control Mod S S E E B gt P 5 p kspace 1 space space kspace space space space kspace space O OO O Q gt Q sN9 F10 TakeToWorkspace 10 F11 TakeToWorkspace 11 F12 TakeToWorkspace 12 120 OurBox E 3 Fluxbox startup file bin sh fluxbox startup script Lines starting with a are ignored Change your keymap xmodmap home ourbox Xmodmap Applications you want to run with fluxbox Debian local change fbautostart has been added with a quick hack to check to see if it exists If it does we ll start it up by default which fbautostart gt dev null if eq O then fbautostart MAKE SURE THAT APPS THAT KEEP RUNNING HAVE AN amp AT THE END unclutter idle 2 amp wmnd amp wmsmixer w amp idesk fi And last
14. OU Student DC hig DC no wattributes 5 items gt PartialAttributeList item objectClass gt PartialAttributeList item cn gt PartialAttributeList item description gt PartialAttributeList item homeDirectory gt PartialAttributeList item sAMAccountName Response To 9 Time 0 001739000 seconds Lightweight Directory Access Protocol wLDAPMessage searchResDone 2 success 1 result messageID 2 wprotocol0p searchResDone 5 w searchResDone resultCode success 0 matchedDN errorMessage Response To 9 Time 0 001739000 seconds Figure 8 Wireshark Host received Through analyzing the Wireshark we solved the mapping issue with this see Listings 30 OurBox Listing 4 6 Mapping with AD ldap conf COO MANA Nn QO L Q N nss map attribute gidNumber primaryGroupID nss map attribute uidNumber sAMAccountName nss override attribute value loginShell bin bash nss map attribute gecos description nss map attribute homeDirectory unixHomeDirectory nss map objectclass posixAccount user nss map attribute uid sAMAccountName nss map attribute shadowLastChange pwdLastSet nss map objectclass posixGroup group nss map attribute uniqueMember member pam login attribute sAMAccountName pam filter objectclass User pam password ad Finally the getent passwd returned not only the local users but also all the students in the AD For example a search for 121088 returned first the UID
15. ers etc SF shall be possible is not possible to share a folder between virtual machines Yes Each host will run several vir This depends on what kind of specifications that tual machines when the host are set on the virtual machine and that they is at full capacity do not go over the limits of the host machine The specification of the host machine is 32 GB memory quad core 3 30 GHz 15 4590 CPU and a 238 GB SSD No The administrator will be able The administrator is not able to set restrictions to change how many virtual on the virtual machines machines the host can run when the host is at full capac ity but this will of course be restricted to the host s hard ware itself Yes Configuration will be possi An Administrator will have the ability to con ble through command line or figure the host operating system and hypervisor GUI VirtualBox by changing the desktop environ ment to Ubuntu Unity From there you will have a standard desktop with a terminal No A centralized management The easiest way will be to have a management solution shall be possible host with Puppet installed we have not tried to make this possible 46 OurBox There are some requirements we did not implement since we did not have enough time That 1s because we encountered a lot of problems with the authentication part that took longer than expected With the time we had left we tried to fix the abilit
16. gt etc lightdm lightdm conf Install LDAP Conf DEBIAN FRONTEND noninteractive apt get install y libpam ldapd i sed i s compat compat ldap etc nsswitch conf cat Spath nslcdConfigFile gt etc nslcd conf service nslcd restart echo session required pam_mkhomedir so skel etc skel umask 0077 gt gt etc pam d common session Move tty virtual consoles mv etc init ttyl conf home admin Desktop mv etc init tty2 conf home S admin Desktop mv etc init tty3 conf home admin Desktop mv etc init tty4 conf home admin Desktop mv etc init tty5 conf home admin Desktop mv etc init tty6 conf home admin Desktop 110 OurBox 43 46 47 48 49 50 51 53 54 55 56 Put in the admin name into the admin variable in the file verifyNewOSes sh verifyNewOSes sh will give all vdi sed i admin c admin Sadmin making verifyNewOSes sh executable chmod x path verifyNewOSes sh Spath verifyNewOSes sh Copying the sed i admin c admin admin i files 755 permisions Spath verifyNewOSes sh path defaultVMScript sh cp path defaultVMScript sh etc profile d cat Spath defaultVMScript sh gt etc profile d defaultVMScript sh reboot 111 OurBox C 3 verifyNewOSes sh 1 bin bash 3 admin s chmod 755 home admin Desktop os 7 for file in 1s l home Sadmin Desktop os vdi awk print 9 8 do 9 ch
17. home ourbox Desktop ub vdi Gjorde den read and executeable av grupper chmod 755 ub vdi La filen til gruppen chggrp aaa ub vdi o Kommandoer for opprette en ny VM i student me bruker m http www electricmonk nl log 2011 09 24 multiple virtualbox vms using one base image copy on write VBoxManage create name Ubuntu ostype Ubuntu 64 register VBoxManage modifyvm Ubuntu memory 1024 VBoxManage modifyvm Ubuntu vram 256 VBoxManage modifyvm Ubuntu cpus 2 VBoxManage storagectl Ubuntu name sata1 add sata e Setter storage til bruke sata m VBoxManage storageattach Ubuntu storagectl sata1 port 0 device 0 type hdd medium home ourbox Desktop Ubuntu vdi mtype immutabl e Legger til originale VMen og setter den til immutable o Kommandoene over har vi lagt inn i en executable bash fil Tanken er la den bli kj rt hver gang kontoen blir bes kt o Multiattach mode fungerer veldig likt som Immutable den st rste forskjellen er at n r du restarter maskinen s blir ikke differansen slettet Dette medf rer man kan kj re to VM av samme image men den lager seg en snapshot som da inneholder forskjellen o Vikan ogs begrense hva som skal v re tilgjengelig for brukere av management toolsen mer info https www virtualbox org manual ch09 htmlftquitweaks e Problemer o Hvis en student har tatt snapshot eller lagret endringene sine og admin m gj re en endring p originalen s vil dette f re til at alle lagringe
18. searchRequest 3 w searchRequest baseObject ou student dc hig dc no scope wholeSubtree 2 derefAliases neverDerefAliases 0 sizeLimit 1 timeLimit 0 typesOnly False wFilter amp objectClass user sAMAccountName 120683 wfilter and 0 wand amp objectClass user sAMAccountName 120683 wand 2 items wFilter objectClass user wand item equalityMatch 3 bequalityMatch wFilter sAMAccountName 120683 wand item equalityMatch 3 bequalityMatch vattributes 10 items AttributeDe n SAMAccountName AttributeDescription userPassword AttributeDescription sAMAccountName AttributeDescription gidNumber AttributeDescription cn AttributeDescription homeDirectory AttributeDescription loginshell AttributeDescription gecos AttributeDescription description AttributeDescription objectClass Figure 7 Wireshark Host sent Frame 10 381 bytes on wire 3048 bits 381 bytes captured 3048 bits on interface 0 Ethernet II Src Cisco 72 44 21 00 13 7f 72 44 21 Dst 98 90 96 a8 a1 34 98 90 96 a8 a1 34 Internet Protocol Version 4 Src 128 39 140 10 128 39 140 10 Dst 10 10 0 70 10 10 0 70 Transmission Control Protocol Src Port ldap 389 Dst Port 46521 46521 Seq 23 Ack 288 Len 315 Lightweight Directory Access Protocol w LDAPMessage searchResEntry 2 CN 120683 0U 12HBWUA OU Student DC hig DC no 1 result messageID 2 wprotocol0p searchResEntry 4 wsearchResEntry objectName CN 120683 0U 12HBWUA
19. which is a standard file in Debian where the config uration for NSS Name Service Switch should be defined It tells the operating system where information such as password shadow group etc should be gathered from 3 5 1 Line definition The focus here will only be on lines 3 5 see Listing 3 4 As default those three lines ends with compat which means that the information for password group and shadow will only be gathered from the local files in etc password group shadow 14 3 5 2 Example Listing 3 4 Default nsswitch conf 16 OurBox etc nsswitch conf passwd compat group compat shadow compat hosts files mdns4_minimal NOTFOUND return dns networks files protocols db files services db files ethers db files rpc db files netgroup nis 3 6 Unity greeter LightDM is a display manager and starts the sessions and the greeter which is the login screen 15 This section is going to explain how the greeter works in LightDM Ubuntu uses LightDM as its display manager and LightDM starts the unity greeter and looks like this 4 Figure 3 Unity greeter This greeter can be configured to look differently but will for the most part do the same thing which is logging in The system configuration is in the path usr share lightdm lightdm conf d conf 17 oN NHN 4 UY DN Ra OurBox but to override these files a system administrator has to edit etc lightdm lightdm c
20. 05 2015 23 Oracle 2015 Chapter 5 4 Special image write https www virtualbox org Online accessed 10 05 2015 50 OurBox 24 Jing 2015 How to import a qcow2 to virtual image storage pool gui https docs google com document d 1X8TaBP1v_rh8e2QXDGFmkmzoPB13Pvp2V0FQ630VC8U Online accessed 12 May 2015 25 Kaufman L 2014 How to copy and paste between a virtualbox host machine and a guest machine http www howtogeek com 187535 how to copy and paste between a virtualbox host machine and a guest machine Onlne accessed 13 May 2015 26 gunnarhj 2015 Customizeguestsession https help ubuntu com community Onlne accessed 13 May 2015 51 OurBox LOGG A Log 12 01 2015 Vi har blitt enige om arbeids tider noe form for utviklingsmodell En blanding mellom inkrementell fossefall med tidsfrister Vi har sendt foresp rsel til Thomas om m te Vi venter med sette opp m te med Erik H til etter at vi har v rt i m te med Thomas Vi skal bruke latex for selve oppgaven Samt prosjektplan Vi skal bruke Trello for en to do list Vi nsker bruke git bucket som sammarbeids metode Vi kunne tenke oss ca 1 m te i uken s vi har ca annenhver uke med veileder og annenhver uke med Oppdragsgiver Hvor ett m te i m neden er mer likt ett st rre status m te Kan v re at vi nsker ett m te hver uke med veileder Vi har begynt sett p bruken av latex for skrive prosje
21. 10 19 10 0 239 LDAP 88 bindresponse 1 success 62 10 290154096 19 10 0 239 128 39 140 10 TCP 66 52983 gt ldap ACK Seq 67 Ack 23 Win 29312 Len 0 TSval 295658 TSecr 23251129 63 10 29023309 19 10 0 239 128 39 140 10 LDAP 282 searchRequest 2 ou student dc hig dc no wholesubtree 64 10 29204700 128 39 149 19 10 10 6 239 LDAP 385 searchResEntry 2 CN 121088 0U 12HEDRA OU Student DC hig DC no searchResDone 2 success 1 result 65 10 292262006 19 10 0 239 128 39 140 10 LDAP 73 unbindRequest 3 67 10 293629006 128 39 140 10 19 10 0239 TCP 66 ldap gt 52983 ACK Seq 342 Ack 291 Win 05240 Len 0 TSval 23251129 TSecr 295638 69 10 293683096 18 239 128 39 149 10 TCP 66 52983 gt ldap ACK Seq 291 Ack 343 Win 30336 Len 0 TSval 235659 TSecr 23251129 0 10 10 0 239 LDAP 385 searchResEntry 2 CN 121088 0U 12HBDRA OU Student DC hig DC no searchResDone 2 success 1 result wsearchResEntry objectName CN 121088 DU 12HBDRA OU Student DC hig DC no vattributes 5 items pPartialattributeList item objectClass bPartialattributeList item cn vPartialattributeList iten description type description vvals 1 lem Attributevalue Gavin Thomas Garrad pPartialattributeList item homeDirectory pPartialAttributeList item sAMAccountName Response To 631 Time 001814800 seconds jw Lightweight Directory Access Protocol wLDAPMessage searchResDone 2 success 1 result messageID 2 yprotocolop searchResDone 5 v searchResDone e https
22. A E cur e VEE do os os oses done if CL me admin then 42 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 OurBox for eachOS in 0s do osRegEx each0S knownVMs VBoxManage list vms grep e osRegEx awk Tprins sl cung e Ne ca A DIRECTORY VirtualBox VMs each0S if knownVMs eachOS then if d DIRECTORY then rm fr DIRECTORY fi VBoxManage createvm name eachOS ostype Ubuntu_64 register VBoxManage modifyvm eachOS memory 1024 vram 256 cpus 2 nicl bridged bridgeadapter1 eth1 VBoxManage storagectl eachOS name satal add sata VBoxManage storageattach eachOS storagectl satal port 0 device 0 type hdd medium home admin Desktop os eachOS vdi mtype immutable af al done fi This script Listing 4 24 does the same as Listing4 22 but with some modifications The script Listing 4 24 is a script which resides in the profile d folder and runs every time a user logs on the machine Line 7 This for loop gets all the names of the vdi images in the folder os which is on the desktop of the administrator Line 9 Puts the vdi images name into an array which is later used in line 14 Line 14 Goes through the array made in line 9 and makes a VM Line 24 Here it modify the virtual machine the same way it did in Listing 4 22 but it adds the nicl bridged bridgeadapaterl eth
23. DN to bind with for normal lookups binddn cn 120683 0u 12HBWUA ou student dc hig dc no bindpw Ourbox92 The DN used for password modifications by root rootpwmoddn cn admin dc example dc com SSL options ssl off tls_reqcert never The search scope scope sub Mappings for Active Directory pagesize 1000 filter passwd amp objectClass user map passwd uid sAMAccountName map passwd gidNumber primaryGroupID map passwd homeDirectory home sAMAccountName map passwd gecos description map passwd loginShell bin bash map passwd uidNumber msSFU30UidNumber filter shadow amp objectClass user 88 OurBox o map shadow uid sAMAccountName S map shadow shadowLastChange pwdLastSet Changed mappasswd uidNumber msSFU30UidNumber o so that i takes sAMAccountName so that we also get the getent If we want to let LDAP execute our own bash scripts and sending the username as a parameter we can use e g auth require pam_exec so script sh PAM_USER Create a group with group ID 513 and name 513 groupadd g 513 513 Trying to find another way to start fluxbox since when you start fluxbox from the login menu and choose it the fuctions work But what i want is that fluxbox window manager starts when you log in o https wiki ubuntu com CustomXSession o http www fluxbox orq help man fluxbox php Been checking those sides and it says something about changing the xinitrc file or make it but it did
24. Send spec krav til Thomas Hvis noe KOSTER NOEN TUSEN KRON ER FO REN LISENS S G R DET GREIT MEN ELLER NEI 1 2 ukene Lag pros cons av programvare o lage timetable o S ke gjennom hva som finnes p markedet o start p sammenligning Vi m ta ogs hensyn til om servisen komme rtil v re slutten av april skal vi v re ferdig med det fysiske ogs skal vi bruke 2 uker til skrive ferdg rapporten N r vi skriver p en ting men plutselig str vi fast s skriv p noe annet og fordele oppgaven F r p ske burde vi pr ve og feil s etter det m vi skrive en del og f ting til funke i rapporten VI m finne ut en l sning for hvordan vi skla a i bruk LDAP til authorisering Authoriseringen hadde v rt fint om det var mulig med med gjeste grupper slik at folk som ikke er studenter her f r ogs tilgang John sier mener Thomas at VirtualBox kan tilfredstille mange av kravene I l pet av februar s burde vi v re ferdig med hvordan alt skal v re og klare til starte med jobbe fysisk Thomas sier at vi minimum skla ha 2 NIC men hvis flere trengs s er ikke det et problem 802 1q Cisco standard ta no slag se hva det inneb rer for han nsker at NIC kommer til ha st tte for det Logg e Vihar snakket med Erik ang m te dag og han kan onsdager fra kl 10 15 s vi er n dt til h re med Thomas om det er mulig for ham ogs vi snakker med ham i morgen sender mail e Erik nevnte at vi burde sjekk ut
25. This also mad the desktop window bigger and possible to go in fullscreen mode How to make a user see libvirt next paragraph Looking at the solution of makin kiosk mode out of virtualbox e https forums virtualbox org viewtopic php f 7 amp t 52974 e Seems to old it was made in 2012 and it seems like it hasn t been updated since e Gonna try it to see what it does e Libvirt o Install ubuntu to an img file virt install n ubuntu vcpu 1 r 1024 disk path home ourbox Desktop libvirt ubuntu img size 8 cdrom home ourbox Desktop os ubuntu 14 04 2 desktop amd64 iso accelerate o Create an qcow2 image qemu img create f qcow2 b ubuntu img test qcow2 o Take in use the qcow2 image important to specify that this is a qcow2 formatted file virt install n test vcpu 1 r 1024 disk path home ourbox Desktop libvirt test qcow2 size 8 format qcow2 import accelerate o Create a student multiattach and a guest immutable group groupadd student groupadd guest o Create a student user useradd d home student1 m student1 o Add a user to a group usermod G student a student1 o Add the ubuntu img file to group student ourbox setfacl m g student rx ubuntu img setfacl m g ourbox rwx ubuntu img o NOTES m Libvirt service is called e In RHEL or CentOS libvirtd e In Ubuntu libvirt bin m Compact info about how to use libvirt virsh e https wiki archlinux org index php Libvirt o On the user student1 w
26. a delay on the extension pack This means that we had to install a specific version of Virtualbox and the correct extension pack to it The result is the following script Listing 4 21 Installation of Virtualbox 4 3 bin bash admin sudo echo deb http download virtualbox org virtualbox debian trusty contrib gt gt etc apt sources list sudo wget q https www virtualbox org download oracle_vbox asc 0 sudo apt key add sudo apt get update sudo apt get install y virtualbox 4 3 wget O tmp extention vbox extpack http dlc cdn sun com virtualbox 4 3 26 Oracle_VM_VirtualBox_Extension_Pack 4 3 26 98988 vbox extpack sudo VBoxManage extpack install tmp extention vbox extpack sudo adduser admin vboxusers Line definition Line 2 Variable which tells the name of the administrator user This will get a value when the script is being executed Line 3 Get access to the repository where Virtualbox 4 3 will be downloaded from Line 4 Download the Oracle public key for apt secure and automatically add the key Line 5 Update the host with the new key Line 6 Install Virtualbox 4 3 Line 7 Download the extension pack for Virtualbox 4 3 26 into tmp after a reboot the down loaded extension file will be removed automatically Line 8 Make Virtualbox install the extension pack Line 9 The user must be added to the vboxusers group to get full use
27. authenticate client co mputers using ldap on an ubuntu 12 04 vps REFERAT FRA M TET MED JOHN e Fant ut at Idap hig no er en server for enkle oppslag om brukere som email bilde og navn S vi har hittil pr vd vertifisere passordet mot feil server de siste ukene rsaken var at etter et bes k hos IT avdelingen fikk vi beskjed om at vi bare skulle pr ve oss fram Dermed har vi klart bruke opp 2 uker p lite fornuftig framdrift 75 OurBox e Fikk to lapper o 1 note Server we should connect to hig1 hig no IP 128 39 140 7 or carol hig no 1P 128 39 140 10 My user account we will authenticate with 120683 bindDN cn 120683 0u 12HBWUA ou student dc hig dc no e Han sa det var to muligheter autentisere seg enten mot den vi fikk som gj r at vi skal bruke PAM mot Active Directory dette betyr at vi m skreddersy PAM mye mer enn om vi da skulle ha brukt den andre servern som vi kunne koble oss i mot Den bruker da Poisix e Vikan ogs f mulighet til gj re dette med ansatte ogs men da m vi filtere mer o Vi fikk da gitt treet for studenter s om vi skal gj re det med ansatte ogs s er vi n dt til g tilbake til jon LOG 76 OurBox e After our meeting with Jon Langseth we were told to configure pam to talk with AD here is a link which is going to be read o https technet microsoft com en us magazine 2008 12 linux aspx 24 03 15 e Tried this tutorial for lda
28. but not least we start fluxbox Because it is the last app you have to run it with exec before it exec virtualbox amp exec fluxbox or if you want to keep a log exec virtualbox amp exec fluxbox log home ourbox fluxbox log 121 OurBox E 4 Fluxbox User Menu 1 This is an automatically generated file Please see lt file usr share doc menu README gt for information 4 to use your own menu copy this to fluxbox menu then edit s fluxbox init and change the session menuFile path to fluxbox menu 7 begin Fluxbox 9 Automatically generated file Do not edit see usr share doc menu html index html submenu Applications 12 submenu VirtualBox 13 exec VirtualBox usr bin virtualbox lt usr share pixmaps virtualbox xpm gt 14 end 15 end 16 restart Restart 17 exit Exit 18 wo end 122 OurBox 16 26 F Read me file Now that you have installed ubuntu on the machine now you need to make the runMe sh executable Also remember to make a folder which is called os in your desktop this is where the vdi images are going to be Open a terminal and run sudo chomd x path to runMe sh Now that you have done that you need to execute runMe sh in terminal run path to runMe sh this will install virtualbox fluxbox and libpam ldapd it will configure the default for the different services This may take a m
29. d inside the runMe sh file but for making it more easyer to read we need alot of when the script is in the runMe sh for escaping variables we puted this code inside a separate file named defaultVMScript sh When we copy this file over into etc profile d the script will not be run has nothing to do with making it executable It s like the file is corrupt in some way but I tried to create another file and pass the code into that one but it just won t work o After the installation of the runMe sh script if i take cat letc profile d defaultVMScript sh gt etc profile d defaultVMs sh then it works It s like there are some format error or a corrupt file but can perform rw no idea what s wrong o SOLUTION It doesn t work to use cp path defaultVMScript sh etc profile d We must use cat path defaultVMScript sh gt etc profile d defaultVMScript sh e What we need to do o Let every created VM be created with NIC configured to bridged mode o Take in use Kerberos and make LDAP authentication encrypted e Bridge mode o Lista lot of detailed information about the VM s configuration VBoxManage showvminfo name o https forums virtualbox org viewtopic php f 78t 45911 m Her sto det noe som kanskje kan v re nyttig e Jepp det gjorde det D 24 04 15 e Let every created VM be created with NIC configured to bridged mode o This is done by adding this line VBoxManage modifyvm NAME nic1 bridged
30. do inside the hypervisor To mention the differences a user will be able to create modify and delete virtual machines while an administrator can make changes on the hypervisor itself and create etc VMs Also a guest account will be created The third important thing will be to let the virtual machines have access to different net works A host will be able to connect to the internet HiG s backbone and the intern Cisco network which will be the local Cisco network inside the Cisco lab This way each VM will have the ability to be connected on both networks 1f necessary The fourth step as mentioned above where we mentioned that this solution should be imple mented on one host to begin with will be our prototype solution At a later stage our prototype should be implemented on 6 hosts This will be done by project owner Also another thing we OurBox should have in mind is that those hosts should be able to be configured remotely This will allow an administrator to sit in front of one host his her own PC and configure several hosts simultaneously e g creating mall servers 12 Target Group The target for this report will mainly be for those who are going to do further work on this solution and for those in general who is interested to learn about our system This report should help the other bachelor thesis to see what we have done and why we have done it as we have The actual project is targeted to the
31. l rer man mer og f r en bedre oversikt over hva som er mulig og ikke Til neste uke skal vi lage et nettverkskart o Snakke med john og f det godkjent o Finn ut hvordan vi via CLI kan foreta configurasjon p KVM o Finn John og sp r han hvorfor han foretrekker VirtualBox For erik ser ikke hvorfor det er bedre enn bruke libvirt og KVM o Viktig at i oppgaven sette klare linjer for hvorfor vi gj r og velger det vi gj r o Vi m f installert KVM og Libvirt S skal en root bruker opprette en VM Deretter skal en user kunne logge seg p og starte opp den VMen men alle endringene skal bli lagret i en egen fil S nestegang n r en annen bruker logger seg inn skal de kunne starte VMen men da fra sin egen scratch og endringene skal bli lagret til en egen fil Slik vil alle brukere kunne starte og jobbe med et base OS med sine egene endringer p Erik tegnet et oversikt hvordan nettverket kan se ut 99 OurBox Fikk mail av Erik e Jeg har snakka med Jon og er enig med han i at vi pr ver virtualbo 18 02 15 Referat fra m tet e Til neste gang skal vi ferdiglage en liten presentasjon for demonstrere hvordan immutable osv fungerer med VirtualBox og KVM e Johns rsak til bruke VirtualBox o Virtualbox client is known interface for students o har funksjonalitet for immutable e Gj r en Isattr pa immutable disken til virtualbox o Chattr i gt make the file imutable sp Om to uker skal vi
32. map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet echo session required pam_mkhomedir so skel etc skel umask 0077 gt gt etc pam d common session echo e SeatDefaults in greeter hide users trueln greeter show manual login true gt etc lightdm lightdm conf Create a group with group ID 513 and name 513 groupadd g 513 513 Install a ubuntu vdi and make the group 513 RX permissions setfacl m g 513t rx ubuntu vdi Download the defaultstartupscript and put it in etc profile d Creating a demo The OS files in Desktop os folder must not contain any white spaces Cause when we search for every OS vdi file we search for the 9th column a new column would be created for every white space Get the fullname of the file Is I home ourbox Desktop os vdi awk print 9 Only get the name of the file Is I hnome ourbox Desktop os awk print 9 grep vdi Only display the image name without vdi Is I home ourbox Desktop os awk print 9 grep vdi cut d f 1 Get input from the user in bash script admin zenity entry text What is the hostname of the administrator Using sed to change the value of the admin variable in a file admin zenity entry text What is the hostname of the administrator sed i admin c admin admin verifyNewOSes sh 92 OurBox 23 04 15 e First we had the script which goes inside the etc profil
33. program without implementing a particular authentication scheme Instead they can focus purely on the details of their program 10 OurBox 3 2 3 PAM configurations A service which wants to use PAM has to have its own PAM configuration in etc pam d with the service name as the name of the configuration file There are four different default modules which a service can include in its configuration file The purpose of these modules are to avoid that every service create its own way to e g authenticate itself but rather include a module Short description of those four modules taken from 1 e common auth This module is the one which validate a user with valid credentials e common account This decides if the user can get a valid account on the local machine or not e common session This adds all the necessary resources a user my be needing e g display ing a message of the day or mounting the user into a homedirectory e common password This module is used when a user is updating or changing their own credentials e g password A PAM configuration file consists of a list of rules see Figure 1 auth sufficient pam unix so nullok try first pass N N mi Figure 1 PAM configuration syntax The first token tells PAM what kind of authentication type it will use supports 4 types The second token is a control flag which lets PAM choose what to do if the rule fails It supports 4 different control
34. run virtual machines These 12 machines are not connected together and they all got a pod where they can connect to the switches and routers Also when users log on to one of these 12 computers there is no kind of authentication so every user has administrator rights on the host PC Because of this there has been cases where the machines has been destroyed and Thomas had to reinstall the OS on the computers He wants HiG to have a similar system to what they got at his last workplace in Germany Bremen The system should be easy to configure and maintain through a management interface 1 1 1 Demarcation This project is only a little part of a big project which will at the end be very usable and helpful for solving many tasks as mentioned in section In this first part we have some demarcations This is meant so we can be done with this part to the deadline in May and therefore we have some limits set e No need for developing creating a GUI for managing the hypervisor VMs This can be done later by someone else Our requirements will be to let the management be done by a command line interface e We don t need to set up and make all hosts be manageable from one manager node or let them be manageable through VPN The important part here is to have in mind that this will and should be possible at a later stage e We only need to make this solution work on one host but this is something that should be easily done on many hosts
35. skreddersy PAM mye mer enn om vi da skulle ha brukt den andre servern som vi kunne koble oss i mot Den bruker da Poisix Vi kan ogs f mulighet til gj re dette med ansatte ogs men da m vi filtere mer o Vifikk da gitt treet for studenter s om vi skal gj re det med ansatte ogs s er vi n dt til g tilbake til jon 102 OurBox B User Manual Ourbox Manual Stepan Maluchev Gavin Thomas Garrad May 15 2015 Contents 1 1 Once you have made an vdi image remember to turn of the auto update since if there is a change to the original vdi image that resides on the desktop of the administrator and other users have work saved to the differential file The differential file will be broken so when you need to do an update on the Some instructions at first ET SES z te su as er Doreen da Se AN ka eat dro VIrtualbox a 2 av A KA Fen EAA ETG DE Installation Switch the Desktop Semester maintenance How to make an image Some instructions at first original vdi image you have to remove all of the users differential files 1 1 Users All the user will have a home folder residing in the home studentnumber Within their home folder there will be a Virtualbox folder which then con tains all of their differential files 103 OurBox 1 2 Virtualbox If the user is unlucky and deletes the VMs that are standard for the system this won t be any problem they just need to relog
36. sssd conf file missin g after installing sssd o Trying to follow this tutorial http linuxrackers com doku php id ubuntu 13 04 set up Idap client using sssd for auth and identity m Noop didn t do anything new as I can see e Trying to see what this does for us o http people skolelinux org pere blog Caching password user and group on a roaming Debian laptop html 07 04 15 e Writing on the report and talking with John for help with the authentication part e John found out our problem in the config file etc ldap conf he adde 78 OurBox o bind policy soft As default it s bind policy hard which means that if the host tries to connect to the AD server but fails the first time then the whole LDAP authentication fails With this set to soft the host have the ability to reestablish the connection several times Not sure why this fails the first time o The next thing we haven t looked at was how the host maps to the AD server As default all of the below lines was commented out while John enabled every of them besides the homedirectory line we won t mount the user s homedirectory at our host anyway RFC 2307 AD mappings nss map objectclass posixAccount user nss map objectclass shadowAccount user nss map attribute uid SAMAccountName tinss map attribute homeDirectory unixHomeDirectory nss map attribute shadowLastChange pwdLastSet nss map objectclass posixGroup group nss map attribute
37. students teachers who are going to use it mainly Thomas Kimmerich and the Cisco courses he does in the Cisco lab 13 Subject So why did we choose to write about this subject Well the topic of this thesis do we both find very interesting challenging and learnful and afteral this topic is very relevant for our background see section 1 4 This thesis will not only let us be able to help and upgrade the HiG s Cisco lab but also if everything goes as planed and the Cisco lab will take in use our new solution we will have our names in that lab at least for some time 1 4 Our background We both have the same background from a three year experience at HIG The course we are taking is Drift av nettverk og datasystemer and contains the subjects e Basics of programmering e Introduction to information security e Mathematics for information technology e Object oriented programming e Data communication and network security e IT Service Management e Statistics e Network administration e Data modeling og database design e Algorithmic methods OurBox e System development e Operating systems e Database og application running e System administration e Mainframe e Ethical Hacking and Penetration Testing Stepan Maluchev e IT leadership Stepan Maluchev e Software development Gavin Garrad e WWW Technology The highlighted subjects is what we have had most use of in our bachelor thesis 1 5 Framework How d
38. the application without a window manager so we need to found out how to start a window manager with virtualbox ois it possible to do this though xsessions instead 02 03 15 e We have created two groups immutable and multiattach gt groupadd immutable 04 03 15 Referat fra motet e Finn ut hvorfor vi ikke velger libvirt kvm men heller velger VirtualBox e Virtualbox har en mer mature brukergrensesnitt og er mer kjent for studentene KVM er mye bedre og moden n r det komme rtil hypervisor men v rt tilfelle s vil virtualbox v re mer egnet Lag linux server mailserver windows og ha det tilgjengelig n r Virtualbox starter Finn ut om virtualbox tilfredsstiller alle kravene v re Hvis ikke s evt fortelle hvorfor ikke og hva som kan gj res for f det til 12 april til da burde vi ha en viss utgave av bacheloroppgaven 2 3 uker f r innlevering skal vi ogs ha en fornyet utgave som erik skal se p Skaff automatic spell check for TexWorks 09 03 15 e Virtualbox var rar Den ville ikke la guest fa stort bilde Den var bare 600x400 eller noe S jeg pr ver installere fra internett o Virtualbox vil ikke la guest f bilde i sitt egent vindu m http www ubuntugeek com virtualbox and ubuntu 14 04 display issue html 68 OurBox m Pr vde dette og det fungerte vet ikke helt om det var det som gj rde at den ikke viste bilde men e Devices gt Insert Guest Additions CD image e
39. types e requisite If the authentication fails via this module the whole PAM authentication process stops with an error e required If the authentication fails via this module PAM will return an error to the appli cation but it will simultaneously call the other modules in the stack 11 OurBox e sufficient If the authentication succeeds via this module PAM will stop trying other mod ules and grant the authentication e optional This is only important if it is defined one place while associated with a service type On the third place there is the name of the PAM module the rule is going to use For example when a user is authenticating with a local password then pam_unix so is the standard PAM module used The last token is the argument parameter itself which will be sent to the module 3 3 Explanation of the package libpam ldapd 3 3 1 What is libpam ldapd This package is a management tool for Unix systems that allows Unix to perform remote au thentication and authorization via an LDAP server libpam ldapd is an updated version of libpam ldap 3 4 This is basically an update of the old NSS module but with some changes in the design structure The great thing with libpam ldapd is that it uses daemons which caches and reuses the queries and data which will reduce the overall network traffic and improved performance Without those daemons every service needs to set up its own LDAP connection and tear it back down
40. vist ha noen lynkurs i hvordan man laget kravspec Det m v re mulig copy paste mellom de forskjellige VMene 10 februar skal vi v re ferdig med kravspec og hvordan det skal v re det enkleste er hvis vi bruker linux og KVM local group policy s kommer det policy rules bli kopiert videre til alle andre hostene e Erik foresl r at vi heller har egen policy grupper som blir gitt ut til elevene passord og brukernavn e Erik foresl r at jo fortere jo bedre at vi pr ver sette opp det fysiske og ser hva som er mulig og ikke og hvordan teknologien fungerer eller hvor grensene g r e Bridge mode mellom VMene 30 01 15 uname ourbox pwd our555box First we install Ubuntu 14 04 1 LTD with LXDE Core with Virsh via tutorial http www howtogeek com 117635 how to install kvm and create virtual machines on ubuntu Chack if the CPU is a 64 og 32 bit uname m https help ubuntu com community KVM Installation 57 OurBox e We started to surf the internett and we found out what we mainly want is a type 1 hypervisor aka bare metal hypervisor http en wikipedia org wiki Hypervisor We found one that is called Xen http wiki xenproject org wiki Xen_Overview What_ s_the_Xen Project Hypervisor 3 E Gavin started to read about this https www youtube com watch v n3POmIMNzvw e Problem o When we booted up Ubuntu we got a timeout message like this 65 456035 mei me 0000 00 03 0 reset connect disconnect time
41. with a server that hosted all the virtual machines but this was not the case We also want to mention that there has been some issues with the language barrier and knowledge 5 4 2 Organize We used Google drive to store all of our work so that if anything got lost from our PC s we would have it in the cloud Why we choose Google drive over bitbucket is because we did not have a lot of code we where going to do But rather documents through documentation We wrote a log for each day that we worked 5 43 Project as work flow and work distribution We have had a fluid work distribution we have taken on responsibility for what we found inter esting We have also worked together if one of us got stuck We have had weekly meetings with our tutor and employer so that they know what we have done and they could come with ideas of what we should look into next 5 5 Conclusion We feel that our goal has been reach with this thesis We were able to make a prototype which works The process of making the prototype has been an challenging task and we have learned a lot We hope the product we made for Thomas Kimmerich will be used and satisfies most of his needs Even though some of the requirements where not fully met We feel that we have laid the ground work for other students to continue on the subject thesis 48 OurBox Bibliography 1 http www tuxradar com 2015 Getting to know pam http www tuxradar com Online access
42. 0 19 0 78 10 10 0 70 Dst 128 39 140 10 128 39 140 10 Transmission Control Protocol Src Port 46521 46521 Dst Port ldap 389 Seq 67 Ack 23 Len 221 rLightweight Directory Access Protocol vwLDAPMessage searchRequest 2 ou student dc hig dc no wholeSubtree messagelD 2 wprotocolop searchRequest v searchRequest 3 baseObject ou student dc hig dc no scope wholeSubtree 2 derefAliases neverDerefAliases 0 sizelimit 1 timeLimit O typesonly False wFilter S objectClass user sAMAccountName 120683 vfilter and 0 wand amp objectClass user sAMAccountName 120683 wand 2 items wFilter objectClass user wand item equalityMatch 3 bequalityMatch wFilter sAMAccountName 120683 wand item equalityMatch 3 bequalityMatch wattributes 10 items AttributeDescript AttributeDescription AttributeDescription AttributeDescription AttributeDescription AttributeDescription AttributeDescription AttributeDescription AttributeDescription AttributeDescription userPassword sAMACCOUntName gidNumber cn honeDirectory LoginShell gecos description objectClass o Frame 10 381 bytes on wire 3048 bits 381 bytes captured 3048 bits on interface 0 Ethernet II Src Cisco 72 44 21 00 13 7f 72 44 21 Dst 98 90 96 a8 a1 34 98 99 96 a8 a1 34 Internet Protocol Version 4 Src 128 39 140 10 128 39 140 10 Dst 10 10 0 70 10 10 0 70 Transmission Control Protocol S
43. 1 which sets the NIC into bridge mode 43 OurBox 5 Ending 5 1 Requirements and their Results Completed Requirement Summery Partially If possible no OS will be run ning on the hosts only a hy pervisor which boots up This is possible with KVM since KVM turns Linux into a hypervisor We also tested Virtual box what we found was that KVM was not that user friendly and that Virtualbox was a more widely known software for virtual machines We had to make a choice which of them we where going to use and went for Virtualbox but then we had to run it on an OS Yes No access to the hypervisor by the users Since we went for an OS which runs Virtualbox we used a Window manager Fluxbox and dis abled all functions besides starting Virtualbox and exiting We mainly do not want the user to have any access to a terminal so we disabled the TTY consoles or also known as Virtual con soles Yes A list of virtual machines can be start by the users This was possible with both hypervisors we tested Default when a user logs into the sys tem they will have a list of different virtual ma chines ready to be booted up The user will also be able to create their own virtual machines Yes The virtual machines must be able to have accounts users This depends on the base image that is created The ones we have created has only one user which is also the administr
44. 20683 preauth p wn Apr pr 10 p 13 04 15 e Meeting with Erik We need help with LDAP mounting o etc pam d m we added line for making home directory we tried differen files common auth common account common session and login file e session required pam_mkhomedir so skel etc skel umask 0077 o etc ldap conf m Changed Base ou student dc hig dc no uri Idap Idap version 3 binddn scope bind policy RFC 2307 AD mappings o We just removed the hashtag in front of everyone except home directory RFC 2307 AD mappings nss map objectclass posixAccount user nss map objectclass shadowAccount user ss map attribute uid sAMAccountName fnss map attribute homeDirectory unixHomeDirectory nss map attribute shadowLastChange pwdLastSet nss map objectclass posixGroup group nss map attribute uniqueMember member pam login attribute sAMAccountName pam filter objectclass User pam password ad o Our problem is that when you login you just log back out 80 OurBox m Jon said this had something to do with that you don t have a home directory and it doesn t know your shell m And he also mentioned something about UID from the AD server o This is our error ourbox1 c Server is unavailable 9 ourbo i ourbox1 login ur n i GIN uid 0 euid 0 tty dev tty2 ruser rhost 49 ourbox1 i ourbox1 logi pam mkhomedir login ourbox1 pam_mail login session user unknown rbox1 logi umask account for 120683 not foun
45. 6 E l Fluxbox menu for admin cesos sea bore ar AAA 117 PE 2 Bou s Soe Ge s S S Sl A SESS ES EG 118 ES Fluxbox startup file rr A ea 121 OG SEE Gye AAN A AIN AR keg 122 F Readmefile ria a AAA 123 nda ec oh Be Sk A ek 4 124 vi OurBox List of Figures 1 PAM configuration syntax I o o ee ee 11 2 Example of scopes 2 0 aa as a 14 A AAA a EE EE as kia EEE 17 4 Fluxbox as desktop J 2 o re 85804 sss ss sas ss 19 5 Hypervisor Management tool User interface 3 22 EE EE EE EE EEE ENE EEE 28 7 Wireshark Host sent vr rava kaka 30 8 Wireshark Host received a a 30 ABARCA ARALAR AE 34 vil OurBox List of Tables Vill OurBox Listings 3 1 nslcd confbasic III 13 AE DARA Y Qa REE Q koa aR been 14 3 3 Correct mapping ascii 16 EE pun pu E EEE EEEE EEE 16 3 5 lHsghtDM conf PP 18 3 6 Fluxbox menu syntax 59 4 0 a6 0c ceed wee a 20 3 7 VBoxManage commands I 6 22 4 1 Note from the I T department o r r e ese s 25 A us dae bee s n p us s b s P S S np S Up Z Sabu a HSE 25 43 ldapConf V L wa us pscs Sea p ore e gra e oe Gare p S OOK S Q KR QUQ QQ 27 A REA AAA EEE 8 27 4 5 getentcommand o recordada TAS LEGENS EG 29 US su AR AA RARA A 30 4 7 getent passwd 121088 o ee ee 31 4 8 getent passwd 21088 oros ae LEGENS 31 en AE 32 4 10 Make a h
46. AP Basics The next step was to configure LDAP to automatically establish a connection to the AD server and authenticate the users LDAP s configuration file is located at etc Idap conf and this is how the first configuration was explanation of the configuration see section 3 3 3 Listing 4 3 Idap conf V 1 uri Idap 128 39 140 10 base ou student dc hig dc no binddn cn 120683 0u 12HBWUA ou student dc hig de no bindpw PASSWORD scope sub Idap version 3 Before the LDAP PAM could work properly the OS needed to know that authentication would not only be done through the local files but could also be done through the AD server That was done in the etc nsswitch conf by adding ldap at the end of the 3 lines which started with password group and shadow explanation of the nsswitch conf file see section 3 5 Listing 4 4 nsswitch conf 114 etc nsswitch conf 27 N 0 O QA FW LS gt CA Q N O OurBox passwd compat ldap group compat ldap shadow compat ldap hosts files mdns4_minimal NOTFOUND return dns networks files protocols db files services db files ethers db files rpc db files netgroup nis Now that the LDAP was configured with the basics and the OS knew that if the user cannot be found locally an search through the AD directory would also be preformed The way we checked if the OS grants a user from the AD server was throu
47. BACHELOROPPGAVE OurBox FORFATTERE Gavin Thomas Garrad Stepan Maluchev DATO 15 05 2015 OurBox Sammendrag av Bacheloroppgaven Tittel OurBox Nr Dato 15 05 2015 Deltakere Gavin Thomas Garrad Stepan Maluchev Veiledere Erik Heljm s Oppdragsgiver H gskolen i Gj vik Kontaktperson Thommas Kimmerich Stikkord Norway Norsk Antall sider 125 Antall vedlegg 15 Tilgjengelighet pen Kort beskrivelse av bacheloroppgaven Cisco labben p HiG best r per dags dato av gamle Windows 7 maskiner som er tilgjengelige for alle som befinner seg p labben Disse maskinene har studentene full administrator rettigheter p noe som tilsier at en student kan gj re hva de vil p den mens maskinenes egentlige hensikt er kun brukes sammen med Cisco utstyr for konfigurasjon og testing Prosjektets m l er lage en prototype hvor studentene ikke har full administrator ret tigeheter p selve maskinen men heller administrator rettigheter p de virtuelle maskinene som blir laget slik at studentene har sin egen testomgivelse som ikke kan p virke andre studenter Rapportens innhold har blitt skrevet slik at de som skal videreutvikle prosjektet vil kunne forst v re valg og vurderinger utifra teoretiske og praktiske begrunnelser OurBox Summary of Graduate Project Title OurBox Nr Date 15 05 2015
48. Fluxbox in etc profile d see section 3 9 inside the script which setup the virtual machines for Virtualbox Which was a partial success since it was possible to get the window manger up and running but it was not able to have any function at all but the virtual machines worked Sessions Since the script inside etc profile d didn t fully work we had to take a look at sessions see Listing B 5 We found out that we could change the default sessions after we had installed Fluxbox To get this to work we inserted Listing 4 12 Default session SeatDefaults user session fluxbox 33 10 11 OurBox in usr share lightdm lightdm conf d 50 ubuntu conf the result of this is Figure 9 Select desktop environment lt x ES Fluxbox Default lt 8 Ubuntu Figure 9 Changed the default session Configuration of Fluxbox We needed to restrict what the user could do see section 3 7 2 the way of doing that was to change the config in etc X11 fluxbox Listing 4 13 Fluxbox changed This is an automatically generated file Please see lt file usr share doc menu README gt for information to use your own menu copy this to fluxbox menu then edit fluxbox init and change the session menuFile path to fluxbox menu begin Fluxbox Automatically generated file Do not edit see usr share doc menu html index html submenu Applications 1 34
49. Hvis host oset er en for for linux tre valg av teknologier Xen og kvm og en til han ikke vil nevne e Utfordringen der er at de forskjellige virt mangagerne er lite standardisert de trenger som oftest mye rettiheter e Virtualbox er det siste valget om pakker mangerer hypwerviser og etc i en pakke e Xen via xem full controll gjennom ccl libvirt med xen mister du mye funksjonalitet e Virtualbox du f r gui og kan bruke ccl og du kan scripte e En vanlig m te er lage disk imge er bruke quem dette er for xen og kvm e hvis det er s nn som at vi gj re det som vi er n s finnes det vm ware lab manager som har tatt 12 r og utvikle e Logge p med forskjellige s m vi kopiere imges til deres hjemme omr der e Det er en viktig ting kunne bruke hosten som en workstation e hvis host os er windows s funger virtual box fungerer det veldig bra https www virtualbox org manual UserManual html 05 02 15 e More info about Libvirt o Alibvirt forum httos www redhat com archives libvirt users index html o Can use SASL which is used to provide authentication This will encrypt MD5 all information going between the hypervisor and libvirt After sasl is active you will be prompted by libvirt to provide a user account and password each time an operation is performed http prefetch net blog index php 2009 06 16 create sasl accounts for libvirt m Its possible to use SASL authentication using LDAP db e http blog toxa de archiv
50. LDAP is a protocol used for accessing and maintaining information over the internet see sec tion 3 1 PAM is a mechanism framework which makes it possible for applications to authenticate against an LDAP server and authenticate related activities see section 3 2 1 Cisco is basically a manufacture of network equipments and design A Cisco lab is referred to a lab containing Cisco equipments where testing and learning is performed TTY is a shell terminal where a user only get a CLI to work with OS is an operating system OurBox T 93ed nn 1 51sa s s sa ss igoi Ajuo uolyesng SYSE eu1 1x3 t ul pe q TTT JSEL ENUEN Mr Mewwns 199 0 1d c Ajuo ysiul4 JEUUUWINS APLU A Mewwns ST TO 8Z PIM 1eq 3 JUO J18IS 2UOJSANN APLU uols lllAJ weu3erp quen 15 oid gt Mewwns ENUEN YSEL SACU isssssisiaanamanin uds n OY Uewwuns enuen U07 S UJ x3 mw s ysel toos ST YO OENYL ST YO OE NYL s ep 0 INOG adAjojoJd jeul4 91 ST 70 7Z PIM ST YO ST PAM s ep ET 8 W3IS S a4 1591 amp ST INOQ vO ST ST YO ST PIM ST YO ST PIM s ep 0 UONEIMUSYINE Jasf e vt dVGT Yum BUpuom m ST YO YT NL ST YO 8OP M S ep ETL s lniidosliAj d u Je ET c I ST 70 Z0 NL ST EO SZ PAM SAP ET YT uonme48 lul d4vd13uns l amp as uole48 lu dv
51. Name map passwd gecos description map passwd loginShell bin bash map passwd uidNumber msSFU30UidNumber filter shadow amp objectClass user map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet Definition of attributes used in Listing 4 9 is defined in section 3 3 3 Line 1 8 This sets the passwd shadow filter attribute to user default this is set to postixAc count Line 2 9 Sets the uid which is named in the AD as sAMAccountName Line 3 Sets the gidNumber to be 125 which is the GID for vboxusers To be able to use the extension pack on Virtualbox the user must be a member of this group see section 4 4 2 Line 4 Sets the home directory to be home studentnumber Line 5 The AD has an attribute named description which contains the full name of the user Line 6 There is no loginShell attribute on the AD so we need to set it here Line 7 AD has an attribute named msSFU30UidNumber which is the user number Line 10 The AD s name of this attribute is pwdLastSet The syntax of the mapping was just a little bit different from the Idap conf see Listing but this solved the mounting problem 4 1 5 Home directory with a desktop environment The last problem here is when a user logs in they will be prompted to its home directory but the directory contains absolutely nothing The solution was to create a new desktop environment which contains a Desktop folder Downloads folder etc for ever
52. Virsh og Libvirt sammen med KVM KVM er det som blir brukt i skyhig e Han mente ogs at denne autentiseringen og gruppering brukere sammen med LDAP vil ogs bli vanskelig e Vi m tes i morgen for skrive prosjektplan vi vurderer ogs jobbe i helga slik at vi f r gitt den s tidlig som mulig til Erik 22 01 2015 Vi har laget ordentlige gruppe regler 56 OurBox e Vi har begynt skrive prosjektplan o Gavin har begynt p punkt 1 av prosjektplanen Mal og Rammer fortsetter med dette i morgen o Stepan har begynt p punkt 2 av prosjektplanen Omfang fortsetter med dette i morgen Vi har skal skrive store deler av prosjektplanen i morgen Vi har f tt en nsket oppdatering av Thomas p kravspesifikasjonene som vi fra f r av hadde sendt til han Han har sendt det videre til Tyskland e Thomas og Erik kommer n til ha et felles m te med oss onsdager kl 10 15 p Thomas sitt kontor 23 01 15 e Vi fortsatte der vi slapp i g r o Punkt 1 2 3 og 4 er snart ferdig e Vihar f tt mail ang prosjektavtale og dette m vi f ordnet p m tet o Vi m f underskrift av Thomas 28 01 15 Referat fra m te e Ang ende 1 del innleveringen v r o Malet med denne oppgaven er ikke bygge store nettverk men til en senere anledning skal det v re mulig Second step Hoved poenget i dette stedet er s ha en hypervisor som er avgrenset med grupperettigheter o taskdescription as bulletpoints Frode skulle
53. ackages debian org sid Online accessed 10 05 15 13 microsoft com 2015 Differences between ldap 2 and ldap 3 https msdn microsoft com en us library aa366099 28v vs 85429 aspx Online accessed 29 04 15 14 and or its affiliates O C 2015 Format of the nsswitch conf file http docs oracle com cd E19683 01 817 4843 a128wit 84565 index html Online ac cessed 28 04 15 15 Archlinux 2015 Display manager https wiki archlinux org index php Online accessed 08 05 15 16 Archlinux 2015 Window manager https wiki archlinux org index php Online accessed 08 05 15 17 Dunn S 2015 What is a window manger https www media mit edu wearables mithril anduin window_manager html Online accessed 10 05 15 18 Boetes H 2015 startfluxbox 1 manual page http www fluxbox org help Online accessed 01 05 15 19 Rouse M 2015 hypervisor http searchservervirtualization techtarget com definition hypervisor Online accessed 11 05 15 20 Vanover R 2015 Type 1 and type 2 hypervisors explained virtualizationreview com blogs everyday virtualization 2009 06 type 1 and type 2 hypervisors explained aspx Online accessed 05 05 15 21 Oracle 2015 Oracle vm virtualbox https www virtualbox org manual Online accessed 01 05 15 22 linuxfromscratch org 2015 The bash shell startup files linuxfromscratch org blfs view 6 3 postlfs profile html Online ac cessed 13
54. ak dette Mulighet med virtualbox Alt handler om selve Supervisoren og begrensningene der S k nettet om fordeler og ulemper tilfredstiller l sningen kravene Til slutt skal det v re mulig at l reren skal kunne sitte p et sted og fyre opp VMer fra en PC dette er for spare tid med installere et VM fysisk p hver PC tidsfordriv Noen andre kan lage interfacet Hva slags supervisor hver gang eleven starter PCen skal alt v re base configurert trenger ikke host eller noe slikt ved mindre det har st rre fordeler P slutten av Bachelor oppgaven skal det v re alle de andre stegene som kreves for fortsette for f systemet 100 opp og fungerende 4 february etter kl 13 er det ikke mulig komme inn 9 30 onsdager blir det faste m ter med Thomas Uken f r og etter p sken skrive kravspesifisering til neste gang Gavin s k KVM gt http serverfault com questions 23738 run virtual machines without a host KVM or Kernel based Virtual Machine basically turns the Linux kernel into a hypervisor It s been around since 2007 and it s awesome at using your hardwares virtualization extensions like Intel s VT x or AMD V It s great for running multiple Operating Systems like OSX and FreeBSD and Linux and Windows all on top of this one VM infrastructure 20 01 2015 Worked with the specification of the system 53 OurBox We have discussed about how we are supposed to set up the hosts How the me
55. als This solved the binding problem but still the user couldn t be granted permission to login 4 1 3 Configuring LDAP Mapping For mapping attributes between Unix and AD see definition of the attributes in section 3 4 2 If the mapping is done correctly and LDAP is configured correct all users in the AD will be displayed via this command see Listings 4 5 Listing 4 5 getent command getent passwd The syntax of the output will first display the users from the local etc passwd and then it search through AD and displays those users We used Wireshark for identifying packets and checking what attributes our host asks for and what the AD server returns this way we would get a better understanding of what really happens and what attributes is needed to be correctly mapped In Figure 7 we can see that the host asked the AD server for 10 attributes but only got 5 of them see Figure 8 29 OurBox Frame 9 287 bytes on wire 2296 bits 287 bytes captured 2296 bits on interface 0 Ethernet II Src 98 90 96 a8 a1 34 98 90 96 a8 a1 34 Dst Cisco 72 44 21 00 13 7f 72 44 21 Internet Protocol Version 4 Src 10 10 0 70 10 10 0 70 Dst 128 39 140 10 128 39 140 10 Transmission Control Protocol Src Port 46521 46521 Dst Port ldap 389 Seq 67 Ack 23 Len 221 rLightweight Directory Access Protocol wLDAPMessage searchRequest 2 ou student dc hig dc no wholeSubtree messagelD 2 wprotocol0p
56. andin r dpen lage en plan for 9 ukene framover s vi dekker alt vi skal ha med Sp r erik hvorfor vi har probemer med fluxbox n r vi starter det i profile d vi f r ikke kj rt eller eksekvert noen programmer Finn ut om vi trenger home directory eller ikke Ta hensyn til s ikke vilene blir opprettet i homedirectory p loke sin servere men p lokale PC stay away of mounting the homefolder inside the cp Kanskje ha mulighet s en VM mappe kan ha flere brukere og ikke bare en lage grupperinger p en m te Husk at hvis det vil v re n dvendig for at en bruker skal kunne sette grupper selv s vil det v re godkjent lag et skript som vil ta inn parametere som lager og gj r at vmene kommer til bli delt mellom de og de brukerne Det eneste ved siden av virtualbox vinduet som skal v re tilgjengelig for brukeren umask command setting the default access mode Kan v re til hjelp Finne en m te s en bruker kan ha mulighet til sette grupperinger selv For egentlig s m enn v re root bruker for gj re det Brukere kan ha tilgang og setter en fil i en shared directory der filen inneholder brukernavn som de nsker gruppering p S er det crontab som kj rer og sjekker hvert 5 min og exekverer filene MAP enkleste m te med LDAP er PADL software pty ltd PAM LDAP Sp r John og f han til gi oss LDAP mulighet Hvis ikke s m vi gj re det lokalt o Hver PC som starter f r Lag en presentasjon og visni
57. ate Step Select VDI VirtualBox Disk Image Click Next Step Select Dynamically allocated Click Next SP RN Step Choose how much disc space the Virtual drive should have Prefer ably 8 GB if it is Ubuntu or more than 30 GB if Windows Step Now you have created a vdi image Now you need to install the desired OS into that image Right click VM in Virtualbox 11 Step Choose Settings 12 Step Choose Storage 13 Step Select the option Controller IDE when this option is selected you should see two icons a CD with a plus icon and a hard drive with a plus icon Select the CD with a plus icon 14 Step window should appear Click Choose Disk 15 Step Navigate to the operating system you want to install Should be a iso file Select it and click Open 16 Step Now you should see a new option under Controller IDE If you see that just Click ok in the bottom right 17 Step Now run your VM by click the arrow which says start 18 Step Install your OS 19 Step Now that you have made the image it should be in home your folder Virtualbox VMs name of the image you made name vdi This is the image you should use in 2 107 OurBox C Code 108 OurBox C 1 afterInstallation sh bin bash This has to be run as a the user not root echo e begin fluxbox include etc X11 fluxbox fluxbox m
58. ator and will give the students administrator rights on the virtual ma chine 44 OurBox Yes Connect with HIG LDAP for Since the host s OS is Ubuntu we used LDAP authentication PAM to authenticate against HiG s AD server This was successful and gave the users the abil ity to be authenticated with their own user and password they use at HiG Yes Authorised by a local entity The user will be able to enter their credentials cisco lab on the local machine and access the system No As a Guest user Not at this time and it does not exist any guest session This will have to be implemented in a later project Partially Groups has to exists At the moment users will automatically be as signed to group vboxusers GID 125 which will let them have advantages of the extension pack which is installed with Virtualbox No Each group contains of one or This requirement was not implemented in the more users thesis No They share one folder where This requirement was not implemented in the the VMs for the group will be thesis stored No Each user VM will be store in This requirement was not implemented in the the group folder thesis Yes Administrators will have full There is only one local administrator on the host permission to change config machine The administrator will need to switch uration settings on the hyper the desktop environment before configuration vis
59. b Mappings for Active Directory pagesize 1000 filter passwd 8 objectClass user map passwd uid sAMAccountName map passwd gidNumber 1259 map passwd homeDirectory home sAMAccountName map passwd gecos description map passwd loginShell bin bash map passwd uidNumber msSFU30UidNumber filter shadow 8 objectClass user map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet 115 OurBox E Fluxbox config 116 OurBox E 1 Fluxbox menu for admin begin fluxbox include etc X11 fluxbox fluxbox menu submenu Switch Environment exec Unity gnome terminal x sudo mv usr share ubuntu desktop usr share xsessions exec Fluxbox gnome terminal x sudo mv usr share xsessions ubuntu desktop usr share ena end 117 OurBox E 2 Fluxbox keys file 38 39 40 4 45 46 47 48 49 50 51 53 click on the desktop to get menus OnDesktop Mousel HideMenus OnDesktop Mouse2 WorkspaceMenu OnDesktop Mouse3 RootMenu scroll on the desktop to change workspaces OnDesktop Mouse4 PrevWorkspace OnDesktop Mouse5 NextWorkspace scroll on the toolbar to change current window OnToolbar Mouse4 PrevWindow static groups iconhidden no OnToolbar Mouse5 NextWindow static groups iconhidden no alt left right click to move resize a window OnWindow Modl Mousel MacroCmd Raise Focus StartMoving OnWindowBorder Movel StartMoving
60. box 52 159 Sett p det f startet fluxbox kanskje fra et annet sted r ver finne litt ut om hvordan startx fungerer helt og holdent e https wiki ubuntu com CustomXSession LDAP o Find who you are as a response from the LDAP DB Idapwhoami h 128 39 41 128 x D Return Anonymous If we want to check a username and retrieve some basic information about the user we do this with this syntax source for the script syntax Idapsearch x h 128 39 41 128 b dc hig dc no p 389 uid 120683 gt extended LDIF gt H gt LDAPv3 gt base lt dc hig dc no gt with scope subtree gt filter uid 120683 gt requesting ALL gt gt 120683 Avdeling for informatikk og medieteknik hig no gt dn uid 120683 0u Avdeling for informatikk og medieteknik dc hig dc no gt uid 120683 gt objectClass top gt objectClass person gt objectClass organizationalPerson gt objectClass inetOrgPerson gt sn Maluchev gt cn Stepan Maluchev gt ou Avdeling for informatikk og medietekniklabeled gt URI http www stud hig no 120683 gt mail stepan maluchev hig no gt title Studentgiven gt Name Stepan gt search result gt search 2 gt result 0 Success gt numResponses 2 gt numEntries 1 74 OurBox m If we want also to add another search parameter e g we want to search for a username under Avdeling for informatikk og medie
61. but all their work will be lost 2 Installation 1 Step Configure your vdi images in a hypervisor preferably Virtualbox Configure them with the necessary applications you want Set the vdi images in a folder named os Step Have the folder which contains the script to run and the necessary files to go with and the os folder on a flashdrive Step Install ubuntu on the host machine Step Copy these two folder into the desktop of the administrator On the host machine you want the system Step Open a terminal and run chmod x path to runMe sh Where the path to is the path to the script Step Type in terminal path to runMe sh Where the path to is the path to the script Step Wait until it reboots after reboot you should see something like 104 OurBox Guest Session Figure 1 Unity greeter 8 Step Before you log in press the circle and select Fluxbox Left click on Fluxbox even if it is set as default Select desktop environment Fluxbox Default ES Ubuntu Figure 2 Valg av desktop 9 Step Now you can log in with the administrator and you are able to have the Fluxbox desktop Now you need to remove the choice of having the possibility to choose Unity Just right click the desktop a menu should pop up and there will be a choice which says Switch Environment enter that menu and choose Fluxbox 105 OurBox Now you have fully ins
62. cal handling of the windows Fluxbox has the possibility for different workspaces a root menu and shortcut keys Both the root menu and shortcut keys are highly configurable and can run very specific commands 3 7 2 Configuration files There are two ways of configuring fluxbox either in etc X11 fluxbox or home username fluxbox The difference between them is that etc X11 fluxbox is for the whole system so every new user who uses fluxbox will get this configuration and the new user may tailor his own style and functions in fluxbox in home username fluxbox Contents in etc X11 fluxbox 1 apps 3 fluxbox menu user 2 fluxbox menu 4 keys 19 R Q N OurBox 5 menudefs hook 7 system fluxbox menu 6 overlay 8 window menu Fluxbox menu In the fluxbox menu file it is possible to configure how the standard menu should look like In figure 4 you can see a menu that has been configured Listing 3 6 Fluxbox menu syntax begin name of the menu submenu name of the submenu exec name code end end Keys The keys file is where an administrator can edit what keys shortcut the user shall have such as to open a terminal or even start an application of his choice Contents in home username fluxbox This folder is very much like the one in etc X11 fluxbox that is because the files only include the necessary files from etc X11 fluxbox so menu would include fluxbox menu
63. ckage libpam ldap by this Idapsearch request entered in the CLI Listing 4 2 Idapsearch ldapsearch x h 128 39 140 10 b ou student dc hig dc no p 389 D cn 120683 0u 12HBWUA ou student dc hig dc no W samaccountname 120683 120683 12HBWUA Student hig no dn CN 120683 OU 12HBWUA OU Student DC hig DC no objectClass top objectClass person 25 O 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 45 46 47 48 49 50 OurBox objectClass organizationalPerson objectClass user cn 120683 sn Maluchev description Stepan Maluchev givenName Stepan distinguishedName CN 120683 OU 12HBWUA OU Student DC hig DC no instanceType 4 whenCreated 20120807083100 0Z whenChanged 20150511070720 0Z displayName Stepan Maluchev uSNCreated 12497131 memberOf CN hp v2015 imt in ourbox OU Hovedprosjekter OU Prosjekter DC hig DC no memberOf CN SPK BDR OU Studieprogrammer OU Student DC hig DC no memberOf CN Hovedprosjekt OU Hovedprosjekter OU Prosjekter DC hig DC no memberOf CN 12HBDRA OU 12HBDRA OU Student DC hig DC no memberOf CN 12HBWUA OU 12HBWUA OU Student DC hig DC no memberOf CN Student OU Student DC hig DC no uSNChanged 36325840 name 120683 objectGUID M600ih6 1USCOEAbG1OR0w userAccountControl 512 badPwdCount 0 codePage 0 c
64. d 1 ourbo C T logi e 683 by LOGIN uid 0 1 ourbo i ourbox1 ourbox1 ourbox1 oot TTY unknown CuD h rbox1 COMMAND usr Tib update notifier package system locked 6 ourbox1 i home ourb local share keyrings ourbox1 so security pam_kwallet so cannot open shared object file No such file or directory ourbox1 c ourbox1 p i equirement user ingroup nopassi in not met by user ourbox1 ourbox1 o session opened for user root by ourbox1 o T ssi on closed for user root 44 ourbox1 e pam_winbindd vedlikeholder enlokal db for UID kanskje nss Idap ikke vil fungere riktig mot AD getent After the meeting with Erik o We found out that we have configure most of it right o We can contact the AD server and we get authenticated o What our problem is m When you log in you don t stay logged in Erik thinks the problem is with how we do the mappings Since we don t find the user in Getent and we need to find out what is getting sent over the network Also the local host cant fin the user in PASSWD which we think is a result of that we find the SAMACOUNTNAME on the ad but that isnt the one we want And we need to check what pam mkhomedir so excactly does Since when we log in we get unkown user when it tries different so files such as pam mkhomedir so Since getent passwd will contain the user entry in the passwd file with the useranme user id and home dir But our user on the AD is not in this file so he thinks that
65. e first create a file a qcow2 image and put it on the desktop 69 OurBox 10 03 15 Virtualbox o m qemu img create f qcow2 b home ourbox Desktop libvirt ubuntu img Desktop test qcow2 Now we can create map this ubuntu as a multiattached Since the student isn t a member of the libvirtd group no root access to the hypervisor is granted Therefor we make the student start a session to the hypervisor virt install n test vcpu 1 r 1024 accelerate disk path Desktop test img format qcow2 import The step above is also possible to do in the virt manager GUI The problem is that this is not straightforward This is not a problem if the qcow2 file is in the VirtualMachines To make a student be able to do this we need to add a step by step guid source https docs google com document d 1X8TaBP1v_rh8e2QXDGFmkmzoPB13Pv p2VOFQ630VCsU edit pli 1 m Step 1 Create a new VM from Import existing disk image option m Step 2 Choose your qcow2 image m Step 3 Select Customize configuration before install before you go forward e note without this step you will got a non bootable message from the virtual machine m Step 4 Identify the qcow2 format to the image and begin installation Disk1 gt Advanced options gt Storage format qcow2 Begin Installation CONCLUSION In forehand you have to create X qcow2 files in the VirtualMachines This way we can create and take in use co
66. e not sure yet on how we are going to make it immutable like it seems like we still need to either take a snapshot of the image and then delete the snapshot or we need to delete the COW img and make a new one every time m Creating a new image with all changes made from the original image e qemu img create f qcow2 b Ubuntu img test qcow2 o Now we need to create and map this test img to virsh manager m We can do that with virt install gt virt install n test vcpu 1 r 1024 disk path var lib libvirt images test qcow2 import accelerate 67 OurBox m https lacidborg wordpress com 2010 02 18 how to create virtual machi nes using kvm kernel based virtual machine o Listing up all linked VMs virt list all 24 02 15 e We got the admin user ourbox to run a VM with the qcow2 but when we tried to use the same ubuntuu img to make a new qcow2 as another user we where allowed to do so But it seems like it doesnt have any disk space which is a problem o We did some digging and we found this m http unix stackexchange com questions 159069 how can i create a kv m guest 100 as a non root user o Not sure if this is true or not but just putting it here e Found an alternative to starting virtualbox o http askubuntu com questions 310671 start ubuntu without a desktop environ ment but start an x application e We also found out that when we run the virtualbox in our defaultVMs sh in profile d we run
67. ed 14 05 15 2 Hunter J 2015 Ldap search setting the scope parameter wiw idevelopment info data LDAP LDAP_Resources SEARCH_Setting_ the SCOPE Parameter shtml Online accessed 09 05 15 3 Wikipedia 2015 Libvirt wikipedia the free encyclopedia http en wikipedia org w index php title Libvirt amp oldid 660801299 Online accessed 12 May 2015 4 Neal pippaluk 2014 Lightdm https wiki ubuntu com LightDM Online ac cessed 27 04 15 5 Ramsay J 2015 fluxboxmenu http fluxbox org help man fluxbox menu php Online accessed 29 04 15 6 Oracle 2015 Vboxmanage manual https www virtualbox org manual ch08 htmltvboxmanage modifyvm Online accessed 10 05 15 7 Wikipedia 2015 lightweight directory access protocol http en wikipedia org wiki Lightweight Directory Access Protocol Online accessed 25 04 15 8 Wikipedia 2015 List of Idap softwares http en wikipedia org wiki List_of_ Online accessed 25 04 15 9 Wikipedia 2015 Pluggable authentication module http en wikipedia org wiki Pluggable authentication module Online accessed 27 04 15 10 Hat R 2015 Advantages of pam http www uxsup csx cam ac uk pub doc redhat redhat8 rhl rg en 8 0 ch pam html Online accessed 29 04 15 11 wolfric 2015 Idap utils https wiki debian org LDAP LDAPUtils Online accessed 10 05 15 49 OurBox 12 de Jong A 2015 Package libpam ldapd https p
68. enu submenu Switch Environment exec Unity gnome terminal x sudo mv usr share ubuntu desktop usr share xsessions exec Fluxbox gnome terminal x sudo mv usr share xsessions ubuntu desktop usr share end gt 7 fluxbox menu 109 OurBox C 2 runMe sh 10 2 30 31 bin bash admin zenity entry text What is the username of the administrator path home admin Desktop firstRun apt get y update apt get y upgrade Put in the admin name into the admin variable in the file installVirtualBox sh This script will install virtualbox 4 3 and the extention pack sed i admin c admin S admin Spath installVirtualBox sh making installVirtualBox sh executable chmod x path installVirtualBox sh Spath installVirtualBox sh apt get install y fluxbox Configure fluxbox cat Spath fluxbox menu gt etc X11 fluxbox fluxbox menu cat Spath keys gt etc X11 fluxbox keys sed i s exec fluxbox exec virtualboxN amp Nn exec fluxbox g usr bin startfluxbox echo e SeatDefaults nuser session fluxbox gt usr share lightdm lightdm conf d 50 ubuntu conf Script adds the ability to switch from between unity and fluxbox environments cp r path fluxbox home admin Configure the greeter which hides users and allows manual login echo e SeatDefaults in greeter hide users trueNn greeter show manual login true Nn allow guest false
69. er med fluxbox n r vi starter det i profile d vi f r ikke kj rt eller eksekvert noen programmer Finn ut om vi trenger home directory eller ikke Ta hensyn til s ikke vilene blir opprettet i homedirectory p loke sin servere men p lokale PC stay away of mounting the homefolder inside the cp Kanskje ha mulighet s en VM mappe kan ha flere brukere og ikke bare en lage grupperinger p en m te Husk at hvis det vil v re n dvendig for at en bruker skal kunne sette grupper selv s vil det v re godkjent lag et skript som vil ta inn parametere som lager og gj r at vmene kommer til bli delt mellom de og de brukerne Det eneste ved siden av virtualbox vinduet som skal v re tilgjengelig for brukeren umask command setting the default access mode Kan v re til hjelp Finne en m te s en bruker kan ha mulighet til sette grupperinger selv For egentlig s m enn v re root bruker for gj re det Brukere kan ha tilgang og setter en fil i en shared directory der filen inneholder brukernavn som de nsker gruppering p S er det crontab som kj rer og sjekker hvert 5 min og exekverer filene MAP enkleste m te med LDAP er PADL software pty ltd PAM LDAP Sp r John og f han til gi oss LDAP mulighet Hvis ikke s m vi gj re det lokalt o Hver PC som starter f r Lag en presentasjon og visning til thomas om hva som fungerer og tilfredstiller kravene v re og hva ikke 13 april og ut burde vi ha det lagt
70. es 493 60 OurBox o WebVirtMgr is a libvirt based Web interface for managing virtual machines m Screenshots https github com retspen webvirtmgr wiki Screenshots m http retspen github io m https github com retspen webvirtmgr o Usermanual https libvirt org html e VirtualBox o VBoxManage is the command line interface to VirtualBox https www virtualbox org manual ch08 html 09 02 15 e VirtualBox o You can absolutely choose what the user is available to do or not to do with hideing different menu choices e Libvirt o Polkit reference manual http www freedesktop org software polkit docs latest index html o A brief guide to PolicyKit http scarygliders net 2012 06 20 a brief quide to policykit m Same guy as also made a basic GUI of polkit https github com scarygliders Polkit Explorer 11 02 15 M te Vi trenger ikke tenke p at kabelen skal bli dratt ut etc Hver PC skal v re tilkoblet til pod 12 hosts totalt sa thomas 2 per pod Vi m tegne opp et nettverkskart Elevene skal kunne copy paste mellom VMene Viktig at John godkjenner nettstrukturen Der alle PCene er koblet sammen til HIG backbone e Ikke at det er en del av oppgaven v r men han nsker at det skal v re mulig til senere configurere VMene remote e Hver PC m ha en trunk med VLANS Forskjellige subnet 61 OurBox Viktig at vi har med imutual images Erik sier at det er viktig g
71. et to immutable or multi attach 3 10 4 Summary By using any of these methods mentioned in it is possible to run multiple virtual machines on a host without taking up much space By doing this the only space that is used is the original images and their differencing file 24 Du QI N na CANN O L OurBox 4 Implementation 4 1 Authentication 4 1 1 Prework A connection between the host and the HiG s LDAP server needed to be set up We had a slow start since we tried to authenticate against the LDAP server Idap hig no 128 39 41 128 That server was an LDAP server that only supported anonymous requests for student names pictures e mails and some other basic attributes but stored no sensitive information Later the IT department gave us the needed parameters for establishing a connection to the right LDAP server recap and definitions of the attributes below see subsection 3 3 3 Listing 4 1 Note from the IT department hig1 hig no IP 128 39 140 7 carol hig no IP 128 39 140 10 rootDN dc hig dc n0 bindDN cn 120683 0u 12HBWUA ou student dc hig dc no baseDN ou student dc hig dc no scope sub HIG has 3 LDAP servers of two types that a client can authenticate against One of them is a Linux server running OpenLDAP and the other two are Windows Servers running Active Di rectory AD From that point we used carol hig no The first successful connection to the AD server was made with the pa
72. gh a TTY When e g the username 120683 and the password was entered the login prompted that this user or password was wrong To understand and locate what went wrong we used the authentication log which is to be find in var log auth log t contac Figure 6 Binding error The error log showed it couldn t bind to the LDAP server and that the bindDN didn t work either This was very confusing to understand why the server couldn t be reached cause the bindDN and password was correct and an ldapsearch worked fine in the CLI After some extra research we managed to find some interesting parameters that haven t been added to the etc Idap conf file One of the parameters was bind policy soft and was referring to how PAM connects to the LDAP server As default the value of bind_policy is set to hard which means that if it fails it will retry connecting to the LDAP server with a wait in between with the same credentials multiple times This would in practice not work for us The reason was 28 OurBox that when it tried to bind to the server the first time it used root s credentials and failed Since hard cannot unbind from the first credentials and then try with another credentials PAM never got to use our bindDN credential even if the error message said that it tried our bindDN With this value set to soft the host have the ability to unbind from the credentials it failed with and try again with another credenti
73. ha klar o Noen eks av hvordan nettverkskjema kan ser ut i cisco rommet Bruk fancy program slik at vi har en original under og vi kan tegne endringe rog forslag med farger opp Google this for inspiration Network lab diagram o Sett opp kapittler og lag struktur for hele bacheloroppgaven lag bulletpoints hvor skal hva og sett inn diagrammer e Hvis erik hadde satt opp systemet ville han ha satt en manager med Forman o Vikan ta en tur til terje og f visning om hvordan forman fungerer Thomas sa at hvis elevene selv setter opp grupperinger p PCene selv s vil ikke det v re verden undergang heller 04 03 15 Referat fra m tet e Finn ut hvorfor vi ikke velger libvirt kvm men heller velger VirtualBox 100 OurBox Virtualbox har en mer mature brukergrensesnitt og er mer kjent for studentene KVM er mye bedre og moden n r det komme rtil hypervisor men i v rt tilfelle s vil virtualbox v re mer egnet Lag linux server mailserver windows og ha det tilgjengelig n r Virtualbox starter Finn ut om virtualbox tilfredsstiller alle kravene v re Hvis ikke s evt fortelle hvorfor ikke og hva som kan gj res for f det til 12 april til da burde vi ha en viss utgave av bacheloroppgaven 2 3 uker f r innlevering skal vi ogs ha en fornyet utgave som erik skal se p Skaff automatic spell check for TexWorks 11 03 15 REFERAT En innlevering til erik 7 april rett etter p sken 1 2 before h
74. he scripts in etc profile d helps to initialize and set up the environment 22 3 10 Image There are different types of images that can be used in virtualization but in this project vdi and img is used vdi is an abbreviation for Virtual Disk Image and is usually a standard image type made by VirtualBox when a new image is created img is an image file created by KVM when a new image is created There are also some attributes which can be set on the images the immutable and multiattach 3 10 1 Immutable An immutable image acts like a normal image but instead of storing its data on the original vdi it makes a differencing file which it stores the data on This differencing file gets deleted every time the virtual machine gets booted up With this method a user can not do any damage to the original image since it stores the difference in the differencing file 23 3 10 2 Multi attach The multi attach method works the same as immutable section 3 10 1 but it does not delete the differencing file on boot up so the users configuration is still the same next time the user logs back on 23 OurBox 3 10 3 Copy On Write qcow2 is an abbreviation for QEMU Copy On Write and is a storage created in our case by KVM QEMU qcow2 is created of images and is a storage container where all changes per formed on the image will be saved This way the original image file vdi will not be changed The qcow2 container can be s
75. he virtual machines 40 OurBox Line 6 This is a regular expression for getting the name Ubuntu out of the VBoxManage list Line 7 Gets the known VM which in this case will be Ubuntu as stated in line 2 Line 8 Then it checks if the knownVMs is the same as os if they are not then line 10 11 happens Line 9 10 Here it checks if there is a directory to the os since it may have been deleted in Virtualbox but the user might not have deleted everything so the script guarantee that everything is deleted Line 12 Now that the virtual image is created this can be seen in the GUI but you will not yet be able to start the machine before line 18 19 has run Line 13 15 These lines modify the virtual machine which has just been made and it tells how much ram cpu and video ram it should have Line 16 This modifies the storages it should use Line 17 This attaches it to that storage which was just created 4 5 Result 4 5 1 Conclusion of the KVM In advance we have to create nx qcow2 files in the VirtualMachines for each user It is these qcow2 files the user can create virtual machines The qcow2 file must be created first which is at minimum ca 192K The problem here is e We have to pre define how many VMs a user can create e 192K numb of the particular OS a user can create numb of different OSes numb of users on the system Too much unused and occupied space e When the use
76. hich ends with sh in etc profile d will be executed every time a user logs in Therefore we created a script there named defaultVMs sh with the content Hl bin bash os Ubuntu user whoami DIRECTORY VirtualBox VMs 0s if user ourbox J then osRegEx W osN knownVMs VBoxManage list vms grep e SosRegEx awk print 1 cut d Y f 2 if knownVMs os then if d DIRECTORY then rm r DIRECTORY fi VBoxManage create name 0s ostype Ubuntu 64 register 2 gt amp 1 VBoxManage modifyvm os memory 1024 2 gt amp 1 VBoxManage modifyvm os vram 256 2 gt amp 1 VBoxManage modifyvm 0s cpus 2 2 gt amp 1 VBoxManage storagectl os name sata1 add sata 2 gt amp 1 VBoxManage storageattach 0s storagectl sata1 port 0 device 0 type hdd medium home ourbox Desktop Ubuntu vdi mtype immutable 2 gt amp 1 fi fi o Cause when the VM is already there the script will try to create a new VM but p We have been set up a IF to make the script more reliable and now we are trying to make the script flexible by getting regex to use variables but it seems we can not make it work yet 66 OurBox e Now we got it to work how we do not know but now when every user logs on the machine will create 1 default VM in virtualbox and if it allready got it it will not create a new VM 23 02 15 e http kashyapc com 2012 09 14 externaland live snapshots with l
77. his applies as well to companies where employees at GUC and or students have interests Assignments with grade C or better are registered and placed at the school s library An electronic project assignment without attachments will be placed on the library part of the school s website This depends on that the students sign a separate agreement where they give the library rights to make their main project available both on print and on Internet ck The Copyright Act Employer and supervisor accept this kind of disclosure when they sign this project agreement and they must possibly give a written message to students and dean if they during the project period change view on this kind of disclosure 124 OurBox 5 The assignment s specifications and results can be used by the employer s own work If the student s in its assignment or while working with it makes a patentable invention relations between employer and student s applies as described in Act respecting the right to employees inventions of 17 of April 1970 8 4 10 6 Beyond the publicising mentioned in item 4 the student s have no right to publicise his hers theirs assignment fully or partly or as a part of another work without consensus from the employer Equivalent consent must be made between student s and lecturer supervisor regarding the material placed at disposal by the lecturer supervisor 7 The students shall hand in the assignment with attachments electro
78. ibvirt http serverfault com questions 240701 can kvm roll back changes to virtual disks aut omatically http linux die net man 1 qemu img https www suse com documentation sles11 book kvm data cha gqemu guest inst q emu img html http en wikibooks org wiki QEMU Images We followed this guide to install QEMU KVM o http www howtogeek com 117635 how to install kvm and create virtual machi nes on ubuntu o We also had to install qemu system package m apt get install qemu system e We searched the internet for a smart solution with this Immutable image o http kashyapc com 2012 09 14 externaland live snapshots with libvirt o http serverfault com questions 240701 can kvm roll back changes to virtual di sks automatically m We found a possible solution with e hitp linux die net man 1 qemu img m Which means that we need to make a script which then takes a snapshot of an image and then we need to delete that snapshot after it has been used e we did not go for this solution o We found COW Copy on write which we then thought was better m http en wikibooks org wiki QEMU Images m We found out that COW works like this that you have a base image which then you make an image from which we make it possible to make as Copy on write mode so that the base image doesnt get touch but every change we make will be done to the copy on write img But it seems like then we have to make a COW image for every user that is going to have a VM and we ar
79. id we solve the planning and frameworks and what did we have in mind for getting this project done to the deadline We are now going to take a closer look at what was needed to be done before we could start working with the actual project 1 5 1 Development model We agreed right away that the system development model we are going to use is incremental model Since we think that this will benefit us the most we could have gone for waterfall model but we feel that this is too rigid we want to have the possibility to change previous steps That is why we think it will be easier for us to use the incremental model Scrum and XP where out of the question We did not want to go with a very agile method development models since we have a deadline for when this project has to be finished Basically why we chose incremental model is because it will make it some what easier for us to just focus on getting one part of the system to work then check if it really is working and then integrate it with our system This is mainly why we want to use this method since in this point of the model we feel we also can make changes to the system and make it work better Had we gone for the waterfall model we could not have done that After we have integrated it into our system we will need to validate that the whole system works 15 2 Gantt diagram To make and show our activities against time we created a gantt diagram see Figure on page 6 On the left side of
80. if not by the end of this project then short time after OurBox e Weare only going to create a prototype of this system 1 1 2 Task description This project has its main focus on the authentication part however several other important aspects are included to form this project and they are Only a hypervisor will be running 2 Login prompt for authentication 3 Be able to connect to the internet and Cisco internal network 4 Make a prototype running on one host Now lets fulfill those points and make them more detailed The first thing we will be doing will be to make one host PC to boot directly into a hy pervisor without booting up an entirely OS like windows 7 This way we will not need to waste resources of having an entirely OS running and upon that a hypervisor This will also minimize the ability for users to ruin the host s configuration settings When we mention that no OS will be started only a hypervisor we meant that this will be our goal On the other hand if we cannot make this happen a hypervisor running upon an OS will also be accepted Next step will be to make create a login prompt This way the users administrators must enter a username and a password this will be the same username and password as a user will enter when logging into fronter no hig or into HiG s website The purpose of this step is to make a clear authority line between what an administrator can do and what a user can
81. ingene skal bli lagret til en egen fil Slik vil alle brukere kunne starte og jobbe med et base OS med sine egene endringer p e Erik tegnet et oversikt hvordan nettverket kan se ut Fikk mail av Erik Jeg har snakka med Jon og er enig med han i at vi pr ver virtualbox f rst 16 02 15 e VirtualBox o Testet dette med VirtualBox og immutable images o Samt om vi f r bootet det samme image med en annen bruker m Det fikk vi til men den andre brukeren sitt image var ikke immutable o Men p admin brukeren vares sa matte vi sette imaget til en gruppe og gi read and write muligheter for at vi skulle fa det til at en annen bruker kunne bruke samme image o Vi fikk til at den ene brukeren kunne ha normal og gj re endringer som da den som hadde immutable kunne se 63 OurBox o Vi Gikk mye frem og tilbake for teste forskjellige m ter Men det gikk ikke sa bra med ihvertfall kun Read rettigheter o Vi m tte ogs sette oss litt inn i group policy for f det til funke med det f rste o Vi har en annen vi ogs kan se p og det er multi attach mode 17 02 15 e Ble n dt til installere alt p nytt igjen p PCen Knota litt med f installert virtualbox 4 3 22 o Oppretter en admin bruker ourbox og en standard bruker me o La begge til i gruppen aaa usermod a G aaa ourbox usermod a G aaa me o Oppretter en VM som Ubuntu 14 04 1 Desktop p ourbox brukeren Den plasserte vi i
82. inute but the machine will reboot afterwards When the machine boots up again you need to login as the user you made in fluxbox Then you can log out and log in again into the unity and then run afterInstallation sh open terminal and run path to afterinstallation sh What afterInstallation does is configure the admin users fluxbox to have some extra functionality So that you can lock so that the other users can not log in into ubuntu but only fluxbox 123 OurBox G Project agreement H GSKOLEN I GJ VIK PROJECT AGREEMENT between Gj vik University College GUC education institution THOMAS KEMMERICH employer and Stepan Hahekev GAVIN T GARRAD student s The agreement specifies obligations of the contracting parties concerning the completion of the project and the rights to use the results that the project produces 1 The student s shall complete the project in the period from 3 ol 5 to 5 g5 E The students shall in this period follow a set schedule where GUC gives academic supervision The employer contributes with project assistance as agreed upon at set times The employer puts knowledge and materials at disposal necessary to complete the project It is assumed that given problems in the project are adapted to a suitable level for the students academic knowledge It is the employer s duty to evaluate the project for free on enquiry from GUC 2 The co
83. ions 97 OurBox end of week new pc reaserched more on the manger Mote med Jon e Han mener at vi kan engelt bruke virtual box o virtual box kan man lage en virtual maskin som er en clone av en virtual maskin o Da kan vi lage en root VM som da kan bli clonet som kan brukes o Dropp VM ware fra tankene o VM vil skape mer problemer og en del mer vedlikehold e Imutable disk images Vi stilte dette sp rsm let om Kiosk mode med virtualbox o Han tror det ikke egentlig det ikke finnes o Han sier at det kan v re mulig hacke det til Nevnes i forhold til sikkerhet at de har tilgang til HW s sikkerhet Hvorfor skal man kunne m tte starte en VM for tilgang til putty Lillemyk skal v re med s m vi ha virtualisering Hvis host oset er en for for linux tre valg av teknologier Xen og kvm og en til han ikke vil nevne e Utfordringen der er at de forskjellige virt mangagerne er lite standardisert de trenger som oftest mye rettiheter Virtualbox er det siste valget om pakker mangerer hypwerviser og etc i en pakke Xen via xem full controll gjennom ccl libvirt med xen mister du mye funksjonalitet Virtualbox du f r gui og kan bruke ccl og du kan scripte En vanlig m te er lage disk imge er bruke quem dette er for xen og kvm hvis det er s nn som at vi gj re det som vi er n s finnes det vm ware lab manager som har tatt 12 r og utvikle Logge p med forskjellige s m vi kopiere imges til deres hjemme om
84. is project will understand our choices based on theoretical and practical reasons Kort beskrivelse av bacheloroppgaven Cisco labben pA HiG bestA r per dags dato av gamle Windows 7 maskiner som er tilgjen gelige for alle som befinner seg pA labben Disse maskinene har studentene full administrator rettigheter p amp noe som tilsier at en student kan gjAyre hva de vil pA den mens maskinenes egentlige hensikt er kun A brukes sammen med Cisco utstyr for konfigurasjon og testing Prosjektets mA l er A lage en prototype hvor studentene ikke har full administrator rettige heter p selve maskinen men heller administrator rettigheter pA de virtuelle maskinene som blir laget slik at studentene har sin egen testomgivelse som ikke kan pA virke andre studenter Rapportens innhold har blitt skrevet slik at de som skal videreutvikle prosjektet vil kunne forstA vA re valg og vurderinger utifra teoretiske og praktiske begrunnelser Foreword OurBox 1 Introduction 1 1 Problem The way that the students work in the Cisco lab today is not in a secure and responsible way Therefor Thomas Kimmerich wants to do some upgrades and improve this He also want it to be possible to do different activities on those large networks such as CTF Capture the flag The way the Cisco lab is set up today does not give the possibility for making any large network There is about 12 computers in a room and they are not strong enough to
85. it can t catalog find the user o We are going to check what is being sendt over the network with wireshark o We also might have to install another package winbind Check pam Idap winbind and nss winbind e Wireshark ip src 10 10 0 239 ip dst 10 10 0 239 amp amp tcp port 389 e lf we enter getent passwd 121088 we get no results the search is for uidNumber 121088 There are no attributes named uidNumber in the AD but there is one named msSFU30UidNumber If we only could get passed to search for this sAMAccountName instead 81 OurBox Wireshark But when we enter getent shadow 121088 we get 1 result the search is for Tine source Destination 12 2 03754708 128 39 140 13 2 037665080 10 1 128 33 140 14 2 040798080 121 10 10 0 239 15 2 040848080 10 128 39 140 10 17 2 0425540B0 12819 140 10 10 0 239 18 2 042743000 18 18 0 239 128 39 140 10 20 2 044146000 128 39 140 10 10 10 0 239 22 2 044202000 18 10 0 239 128 38 140 10 tiwetim tynestn v ilter GlobjectClass user uidNumber 121 88 vilter and 0 vand amp objectClass user uidvunber 121688 vand 2 itens vilter objectClass user vand item equolityMateh 3 y equalityttaten ottributeDesc objectClass assertionvalue user Filter vidiumber 121688 vand item equalityMiateh 3 vequnlityraten attributebesc uidnunber assertionvalue 121089 vattributes 10 itens AttributeDescriptian sAMAecountNome Attributedescription userPas
86. ity to find the specific information that is needed online is an art and this skill has improved a lot The most interesting subject throughout this project has been the authentication part When we first encountered this subject we had absolutely no idea on how an authentication through a Linux system worked Now we can set up this system without any problems e A huge thanks to our tutor Erik Hjelm s and Jon Langseth who has guided and helped us to stay on the right path throughout this project e Thanks to our employer Thomas Kimmerich who has given us this interesting project e Thanks to our family who has been supportive and understandable that this has been a tough semester with no time for mingling 111 OurBox Contents Pre fa ej a ka Se o eres Sri q S be be Oe Se Fe W AR o KE iii ENE AAA EA i AA Em A a iv List of Figures as os kes SEG SAS AAA Om Paw eam Poem a vii List of AGIOS se ae ergo Gye a aoe E SR AA sas FoR KS s os ORS Vili LiStin6sS ai ESN TREES A ER EE ph kupa ix pees Ole SERS RAS eee eee eae ee Se 1 I ProDIemil aoe e aoa araca See 0 ode Pure GO ble h S oo OS HR Q Q W 1 1 1 1 Demareafionl eR eR sos ns 1 EEE la n 2 a 2 EN Taree Group ace secs sace sa Se s aru amp Sra RR k S s S W AAA 3 EN 2 y oe a s ee w KES ee FEE g 3 1 4 Ourbackground __ e sos u 4 oas oas s 3 15 Eramework lt v s daa Ge ARANA 4 1 5 1 Development model
87. j re hostene selv maintable s de kommer f eks til slette temp filer etter en vis tid og updaterer seg selv etc PCene kommer til ha 32GB ram De har 15 000kr per PC bruke Erik p st r at vi burde ha en SSD Erik synes det kan v re ogs mulig heller bestille PCer via komplett men da har de ikke 3 rs garanti avtaler med DELL Det skal burde v re forskjellige images fr de forskjellige service Erik sier at det er bedre bruke libvirt enn VirtualBox fordi det kan v re lettere sette grenser og teste n r du kan bruke commandline og pr ve teste via libvirt istedenfor en hel applikasjon Vi burde ogs fokusere p bruke CLI n r vi skal konfiguere og pr ve KVM Da l rer man mer og f r en bedre oversikt over hva som er mulig og ikke Til neste uke skal vi lage et nettverkskart Snakke med john og f det godkjent Finn ut hvordan vi via CLI kan foreta configurasjon p KVM Finn John og sp r han hvorfor han foretrekker VirtualBox For erik ser ikke hvorfor det er bedre enn bruke libvirt og KVM Viktig at i oppgaven sette klare linjer for hvorfor vi gj r og velger det vi gj r Vi m f installert KVM og Libvirt S skal en root bruker opprette en VM Deretter skal en user kunne logge seg p og starte opp den VMen men alle endringene skal bli lagret i en egen fil S nestegang n r en annen bruker logger seg inn skal de kunne starte VMen men da fra sin egen scratch og 62 OurBox endr
88. ktplanen Vi har bestemt oss for at prosjektlederen skal v re Stepan Vi har i lekse lese pdf som er i fronter rommet ang Latex The not so short introduction to latex til i morgen 13 01 2015 Diskusjon om aktuell struktur l sninger Usikkerhet om hva Thomas egentlig nsker men en konkret Vi har ikke startet med Prosjektplan enda vi vil vite eksakt hva det er Thomas vil f rst f r s vi begynner etter m tet med Thomas i morgen jobbe med Prosjektplanen Vi har fortsatt igjen sette opp Hjemmesiden v res 52 OurBox Spm 1 Hva nsker han av de 6 innkj pte maskinene er det noe elevene skal ha fysisk tilgang til 2 Hvordan nsker han at elevene skal ha tilgang til VMen SSH Remote Desktop etc 3 Er det skyl sning han er ute etter 4 Disse servicene som allerede skal v re lagt opp skal det v re en virtuell maskin som da vil v re inne i den evt skyl sningen 5 nsker han ha en delel sning mellom PCO og resten av dummy PCne PC1 6 som kommer til foreg p en egen intern LAN 2 forskjellige VLAN Blir bare brukt for f eks deling av filer f eks oppgaver 14 01 2015 Referat fra m tet med Thomas 09 30 10 15 Snapshot skal v re mulig for alle elevene Hva elevene skal m te p nr PCen booter opp er ikke gitt kom med forslag Ikke n dvendig men til slutt hadde det v rt fint om det hadde v rt muig boote opp en VM via VPN snakk med John han har ideen b
89. le common unity lens unity services unity settings daemon unity webapps unity voice service FEE AEE EE EE AHAHHH HHEH 90 OurBox Install everything o o echo ourbox ALL ALL NOPASSWD ALL gt gt etc sudoers apt get install y virtualbox fluxbox apt get upgrade y apt get install y libpam Idapd Full in the needed param copy the letc nslcd conf conf file from below etc nsicd conf nsled configuration file See nsicd conf 5 for details The user and group nsled should run as uid nsled gid nslcd The location at which the LDAP server s should be reachable uri Idap 128 39 140 10 The search base that will be used for all queries base ou student dc hig dc no The LDAP protocol version to use ldap_version 3 The DN to bind with for normal lookups binddn cn 120683 0u 12HBWUA ou student dc hig dc no bindpw Ourbox92 The DN used for password modifications by root rootpwmoddn cn admin dc example dc com SSL options ssl off tls_reqcert never The search scope scope sub Mappings for Active Directory pagesize 1000 filter passwd amp objectClass user map passwd uid sAMAccountName map passwd gidNumber primaryGroupID map passwd homeDirectory home sAMAccountName map passwd gecos description map passwd loginShell bin bash 91 OurBox 22 04 15 map passwd uidNumber msSFU30UidNumber filter shadow amp objectClass user
90. lop bindRequest 0 v bindRequest version 3 name cn 120683 0u 12HBWUA ou student de hig dc no vauthentication simple 0 simple Response In 137 e We got getent to return some values o we also commented something out such as m homeDirectory m shadowLastChange m posixGroup 85 OurBox m uniqueMember o what we put in was what getent was asking for in our RFC 2307 AD mappings m nss map attribute gidNumber primary GroupID m nss map attribute gecos description m nss override attribute value loginShell bin bash o when we did our getent passwd 121088 we got back m 121088 121088 513 Gavin Thomas Garrad moa stud hig no home 121088 usr local bin bash o When we added the nss_map_attribute we got the host to create the Wmoa stud hig nolhomel121088 folder in folder 17 04 15 If we must reinstall the OS RFC 2307 AD mappings nss map attribute gidNumber primaryGroupID nss map attribute uidNumber sAMAccountName nss override attribute value loginShell bin bash nss map attribute gecos description nss override attribute value homeDirectory home nss map objectclass posixAccount user nss_map_objectclass shadowAccount user nss map attribute uid SAMAccountName nss_map_attribute homeDirectory unixHomeDirectory nss map attribute shadowLastChange pwdLastSet nss map objectclass posixGroup group nss map attribute uniqueMember member pam login attribute sAMAccountName pam filter objectclass User pam pas
91. m from the etc init folder This should work when i restart the pc It WORKS Just move remove all the tty conf files from etc init folder and restart the comp e Tried this http linuxpoison blogspot no 2008 08 how to disable virtual con soles altf1 html o letc inittab doesnt exists on ubnuntu m Custumize fluxbox e https help ubuntu com community Fluxbox customize e It seems like it make a menu for each user so i need find the file that custumize for all users o http fluxbox org help man fluxbox menu php m it seems to be around pkgdatadir menu e how to find this type fluxbox i o nano etc X11 fluxbox fluxbox menu m just delete everythin execpt restart and exit choices in the menu e How to set up a menu o submenu Application submenu Accesibiluty exec Xmag xmag lt gt this should be a line up end e restart Restart m we have a problem that it seems like it wont execute commands because we are trying to 71 OurBox make a command that shutsdown virtualbox so that you log ut but fluxbox wont run that command pkill VirtualBox o tried to remove som of the componets in the toolbar in etc X11 fluxbox init file but i doesnt seem to work 11 03 15 REFERAT LOGG En innlevering til erik 7 april rett etter p sken 1 2 before handin r dpen lage en plan for 9 ukene framover s vi dekker alt vi skal ha med Sp r erik hvorfor vi har probem
92. mod 755 file w0 done 112 OurBox C 4 installVirtualBox sh 19 20 bin bash admin Get access to the repository where Virtualbox 4 3 can be downloaded from sudo echo deb http download virtualbox org virtualbox debian trusty contrib gt gt etc apt sources list Download the Oracle public key for apt secure and automatically add the key sudo wget q https www virtualbox org download oracle_vbox asc 0 sudo apt key add Update that host with the new key sudo apt get update Install virtualbox 4 3 sudo apt get install virtualbox 4 3 Install the extension pack for VirtualBox 4 3 26 This is needed for get access to the USB ports on the guest hosts etc This is not the same as guest edition First we redirect to tmp and download the extention pack after a reboot the downloaded extention file will be removed automatically wget O extention vbox extpack http dlc cdn sun com virtualbox 4 3 26 Oracle_VM_VirtualBox_Extension_Pack 4 3 26 98988 vbox extpack Make VirtualBox install the extension pack sudo VBoxManage extpack install extention vbox extpack The user must be added to the vboxusers group to get full use of the pack sudo adduser admin vboxusers 113 OurBox C 5 defaultVMScript sh bin bash admin me whoami os for oses in 1s l home Sadmin Desktop os awk print 9 F L grep vdi cut d t
93. mory and cpu should be divided Stepan thoughts The default value for minimum running VMs is set to 4 and f eks we have 100 resources Before the first VM can be created the resources will be divided into 4 so the new VM can at a maximum use 25 av the resources When the first VM is created and is running then there are 80 of the resources left The next VM will then have access to 75 3 25 of the resources and so on This way the first VM cannot be a large VM use more then 25 however if the user would like to create one powerfull VM and 4 less powerfull this can be done this way First VM Gavin thoughts Have a max cpu usage and max ram usage So that we can guarantee that you have atleast so many VM s running on the Hosts e g You have a bottle of soda that is 1 5 L and you want to regulate how many glass of soda you get Lets say you want a minimum of three glasses of soda then you will get a 0 5 L glass So you can make more glass of soda but none of your soda is above 0 5 L but it can be anything between 0 1 L and 0 5 L The admin can ofcourse change this if he wants it to be 0 6L glass but then it wont be 3 glasses But the main thought is that we set the max limit for each VM so that we know how many VM we can run with full capacity on each VM 54 OurBox 55 OurBox 21 01 2015 Referat fra m tet med Thomas G gjennom spec krav og se hva slags programvarer som oppfyller hva slags krav
94. n det skal v re e det enkleste er hvis vi bruker linux og KVM local group policy s kommer det policy rules bli kopiert videre til alle andre hostene e Erik foresl r at vi heller har egen policy grupper som blir gitt ut til elevene passord og brukernavn e Erik foresl r at jo fortere jo bedre at vi pr ver sette opp det fysiske og ser hva som er mulig og ikke og hvordan teknologien fungerer eller hvor grensene g r e Bridge mode mellom VMene 04 02 14 o Fortalt litt om kvm med libvirt til begge o Libvirt know alot of about how this work in general o libvirt org apps o There should be a mechanisem in libvirt to differ Admin and Users o Snakke med Jon ASAP the brenner p dass o Erik recommends Kvm libvirt deamon as a service on the host user loggs in and gets a interface from libvirt e virtmangeager talks to the libvirt deamon e user has to be added to the virt manager on e Virsh CCi The quem kvm package is more like a binary translator which will not let KVM to talk directly with the HW and this will slow down the VMs Not cool http wiki qemu orq Index html Kiosk mode er hva vi vil ha opp e hvordan skal man stoppe fra en bruker fra krysse ut bilde n r kiosk mode er oppe Describe it when we test it the test Dont think much about HPV men mer om hvordan l sningen med libvirt og virtmanges GUI Do a sruvay on the managment managment part google local libvirt root group Next week Jon alt solut
95. ne hos brukerne vil bli delagt I teorien Dette m vi teste ut 64 OurBox e Oversikt over kabling i CISCO labben per dags dato 18 02 15 Referat fra m tet e Til neste gang skal vi ferdiglage en liten presentasjon for demonstrere hvordan immutable osv fungerer med VirtualBox og KVM e Johns rsak til bruke VirtualBox o Virtualbox client is known interface for students har funksjonalitet for immutable e Gj r en Isattr pa immutable disken til virtualbox o chattr i gt make the file imutable O j e Om to uker skal vi ha klar o Noen eks av hvordan nettverkskjema kan ser ut i cisco rommet m Bruk fancy program slik at vi har en original under og vi kan tegne endringe rog forslag med farger opp m Google this for inspiration Network lab diagram 65 OurBox o Sett opp kapittler og lag struktur for hele bacheloroppgaven m lag bulletpoints hvor skal hva og sett inn diagrammer Hvis erik hadde satt opp systemet ville han ha satt en manager med Forman o Vikan ta en tur til terje og f visning om hvordan forman fungerer Thomas sa at hvis elevene selv setter opp grupperinger p PCene selv s vil ikke det v re verden undergang heller 20 02 15 Fikk tips om en side ang Idap http www stud hig no 131284 it hig html A startup script have been set up so everytime a user not ourbox user logs in the script for creating a default Ubuntu vm will automatically be run All scripts w
96. ng til thomas om hva som fungerer og tilfredstiller kravene v re og hva ikke 13 april og ut burde vi ha det lagt opp klar for visning Erik 21 mars 10 april 26 mars tilgjengelig p email Uke 12 er det m te 18 03 15 M tereferat Vi m ha testing p planen F lger det gant skjemaet opp kravspecc Sp r Erik Les om user acceptance f r vi gj r testing og f r vi skriver om det o Det burde v re i henhold til kravspec Bruk Thomas de assistentene og 2 andre random Maks 5 15 20 April burde vi gj r det Vi kan ikke n 27 mars 10 april Thomas 101 OurBox M te med Erik den 10 april og m te med Thomas den 15 april hvor vi snakker om hvordan vi skal teste 23 03 15 REFERAT FRA M TET MED JOHN Fant ut at Idap hig no er en server for enkle oppslag om brukere som email bilde og navn S vi har hittil pr vd vertifisere passordet mot feil server de siste ukene rsaken var at etter et bes k hos IT avdelingen fikk vi beskjed om at vi bare skulle pr ve oss fram Dermed har vi klart bruke opp 2 uker p lite fornuftig framdrift Fikk to lapper o 1 note Server we should connect to hig1 hig no IP 128 39 140 7 or carol hig no IP 128 39 140 10 My user account we will authenticate with 120683 bindDN cn 120683 0u 12HBWUA ou student dc hig dc no Han sa det var to muligheter autentisere seg enten mot den vi fikk som gj r at vi skal bruke PAM mot Active Directory dette betyr at vi m
97. nic PDF in Fronter In addition the students shall hand in a copy to the employer 8 This agreement is drawn up with one copy to each party On behalf of GUC it is dean vice dean who approves the agreement 9 In each case it is possible to enter separate agreement between employer student s and GUC who closer regulate conditions regarding issues such as ownership further use confidentiality cost coverage and economic utilisation of the results If employer and student s wish an additional or new agreement this will occur without GUC as a party 10 When GUC also act as employer GUC accede to the agreement both as education institution and as employer 11 Possible disagreements concerning understanding of this agreement are solved by negotiations between the parties If consensus is not achieved the parties agree that the disagreement is solved by arbitration according to provision in Civil Procedure Act of 13th of August 1915 no 6 chapter 32 12 Participants by project implementation GUCs supervisor name ER K A NE L M gr THOMAS KV EMMERICH Student s signature gav al Gat vad date 2 ol 5 s r paga Ma lue date AS ol S date date he hi f a DE Employer signature a la E date As Ol tS IMT Dean Vice Dean signature date Revised 25 of November 2010 Hilde Bakke 125
98. not work http vsido org index php topic 852 0 m this might be an intresting read i found out how to make fluxbox the default display manger with this o https wiki ubuntu com LightDM m SeatDefaults user session name m There is something to do with this also m update alternatives install usr bin x session manager x window manager usr binstartfluxbox 2 m update alternatives config x window manager 21 04 15 89 OurBox e Removed some functonality in fluxbox in the folder etc X11 fluxbox and in files keys and fluxbox menu o in keys i removed the functionality to open terminal in keys m open aterminal m Mod1 F1 Exec x terminal emulator m open a dialog to run programs m Mod1 F2 Exec fbrun in fluxbox menu i removed most of the applications so that nothing other than virtualbox can be opened e How to change the startup script is in usr bin startfluxbox e remove unity sudo apt get remove unity lens music unity lens applications unity greeter unity common unity asset pool unity 2d launcher unity 2d libunity misc4 libunity 2d private0 gir1 2 unity 4 0 m Not sure if this totaly works yet e http www geek com chips dont uninstall ubuntu just change the interface 1542514 2 m This did not fully work trying this also sudo apt get remove unity unity asset pool unity control center unity control center signon unity gtk modu
99. of the pack 39 10 11 12 13 14 15 16 17 18 19 OurBox Configuration We made a script which went into the profile d folder which is meant to be run every time a user logs on to the system Where it made a virtual machine from the vdi image that was on the administrators desktop The problem we encountered was the restrictions of the vdi image what was done to fix the problem was chmod 755 the vdi file and add the vdi image to our test group Listing 4 22 DefaultVMs sh first edition bin bash os Ubuntu user whoami DIRECTORY VirtualBox VMs os if user ourbox then A Vas Tos yas knownVMs VBoxManage list vms grep e osRegEx awk Sprint se S 2 if knownVMs os then if d DIRECTORY then rm r DIRECTORY fi VBoxManage create name os ostype Ubuntu_64 register 2 gt amp 1 VBoxManage modifyvm os memory 1024 2 gt amp 1 VBoxManage modifyvm os vram 256 2 gt amp 1 VBoxManage modifyvm os cpus 2 2 gt 41 VBoxManage storagectl os name satal add sata 2 gt amp 1 VBoxManage storageattach os storagectl satal port 0 device 0 type hdd medium home ourbox Desktop Ubuntu vdi mtype immutable 2 gt amp 1 sE al ar al Definition of Line 1 4 These are different variables that were used in the script DIRECTORY is for the differential files Line 5 If the user who logs in isn t outbox then it makes t
100. of the package libpam Idap This is the old version of libpam Idapd with several inconveniences For this project there is one major inconvenience which is important to understand e This package has all its necessary LDAP configuration stored in etc Idap conf which is a static file This means that there is no possibility to add or assign variables dynamically 3 4 1 Packet s content This package includes e auth client config A helping script which modify nsswitch and PAM configuration with predefined configurations This is meant to help and make it easier to configure the authen tication and authorization parts e Idap auth client A meta package for LDAP authentication dependent of other packages e Idap auth config This is the configuration package for LDAP authentication dependent on the meta package e libnss ldap This package is in general the same as libnss ldapd but has some issues with lookups when booting and serving host information Also there are some issues with setuid programs sudo su when using LDAP with SSL e libpam Idap This package is in general the same as libpam Idapd but has some unimpor tant differences for this project 3 4 2 Idap conf What is Idap conf The main configuration file for LDAP is located in etc Idap conf containing all the necessary parameters for making a successful connection to an LDAP server 4 3 It s important to notice that using libpam ldapd the configuration file is n
101. ome directory rar kr kr r a ee s eee 32 EA G B S S a b S P EE eee 33 sone S EA 33 4 13 Fluxbox changed A A o 34 paa SUQ S P S S ld od dd 35 4 15 Fluxbox administrator 2 4 a Goan S k Sk ARA AR AR 35 MERA A ARAN A Be A en 36 4 17 Move TTY consoles J rea ES TAS LEGE AGE 36 EEE NE EE ENE ENE EN 36 4 19 Createa mg a A ae kn 37 4 20 defaultLibvirtFile sh EEE EEE er e e Ee s o e 37 4 21 Installation of Virtualbox 4 3 o o vrir rv r r r r e eee 39 u S S S n es 40 4 23 verifyNewOSes sh _ dl sss cas MGE A 42 4 24 Default VMScrIpt Shl adorada s ee Soe S S ARAS EA 42 1X OurBox Summary A short project description The Cisco lab at HiG consist of old computers running on Windows 7 and is available for all students who has access to the lab On these machines students has full administrator rights which means that the students can do what ever they want on them while the purpose of these machines are to be used with Cisco equipment for configuration and testing The project s goal is to make a prototype where the students does not have full administra tive rights on the host machine but rather on the virtual machines on the host The students will have their own test domains which will not effect the other students in any way The contents of the report has been written in such way that for those who are going to fur ther develop th
102. onf d conf 4 3 6 1 Different commands Listing 3 5 lightDM conf SeatDefaults allow guest true false greeter hide users true false greeter show manual login true false autologin user username autologin user timeout delay user session name greeter session name Definition of Line 2 This allows a guest user to login Line 3 This will hide the user list if there are different user accounts on the host machine Line 4 If this is set to true the user has to enter username and password Line 5 Autologin the username specified Line 6 Line 4 needs to be set and this will then delay the login so that the greeter will be show for that many seconds before logging in Line 7 Changes the default session To change the default session you also need a desktop file in usr share xsession desktop where is the name of the desktop session Line 8 Changes the default greeter which usually is Unity in Ubuntu 3 7 Fluxbox 3 7 1 What is flux box Fluxbox is a window manager It is a graphical handler for the windows generated by applica tions on a host It can either be run within a desktop environment or standalone 18 OurBox fluxbox Applications Games Help Window Managers Configuration Styles Workspaces Reconfigure Restart Exit Workspace 1 08 mai fr 11 13 49 4 Figure 4 Fluxbox as desktop Fluxbox as a window manager offers a lot of functionality not only graphi
103. onfigured for the deamon to work see figure 4 3 Listing 3 1 nsled conf basic uri Idap 128 39 140 10 base ou student dc hig dc no binddn cn 120683 0u 12HBWUA ou student dc hig dc no bindpw PASSWORD scope sub Idap version 3 Attribute explanation uri Idap tells LDAP where the LDAP server is located Preferably with an IP address as shown in baseDN is where the search will start In this example the search will start in the folder student and search through everything inside this folder bindDN is the DN of our user account in the HiG s LDAP directory where the user is located OU stands for Organization Unit and in practice is like a folder The CN stands for Common Name and is usually the end user or the last piece of the search string We can look at the DN as a tree with branches Here we can see that this user 120683 is located first from the root directory in the folder named student then in another folder named 12HB WUA bindpw is the password that is needed to authenticate the bindDN scope means how the data is structured inside the LDAP database and how the Idapsearch will perform the search sub stands for subtree and indicate searching of all entries at all levels under and including the specified baseDN 2 see the different scopes in Figure Idap version 3 is needed to tell the LDAP server that the client want to use the newest version of LDAP with all its new futures a list
104. opp klar for visning Erik 21 mars 10 april 26 mars tilgjengelig p email Uke 12 er det m te Vi snakket med IT avdelingen ikke John om f lov til koble oss opp mot LDAP p skolen og det fikk vi lov til 72 OurBox Authentication etc 12 03 15 e How to setup basic information about LDAP PAM o https wiki debian org LDAP PAM o http www padl com OSS pam_Idap html e sudo apt get install libpam Ipdap o skriver inn Idap ldap hig no som addresse o ou og dc ble ciscolab og local o removed it again e Started to work on why fluxbox wont run commands o http gotoanswer stanford edu g Fluxbox Menu and root commands 13 03 15 e Windows tool for LDAP authentication LDAP Administrator 2015 1 can find info about users but cannot verify passwords or users Looks like we need a admin account o http www dapbrowser com download htm m My DN in the Idap hig no uid 120683 0u Avdeling for informatikk og medieteknik dc hig dc no 9 al al netos vae ua 120583 a C View Date pihigno 389 loaded successfully 73 Directory Sig Directory Sing JAS Sting Diectery Sing Drestery Sing HEB oGBawa y ask OurBox e OpenLDAP setup o o 16 03 15 https wiki archlinux org index php OpenLDAP https wiki archlinux org index php LDAP_authentication e http www linuxquestions org questions slackware 14 how do i start flux
105. or of either the hypervisor or the host Yes Students should be able to Both hypervisors KVM and VirtualBox will choose which NIC the virtual be able to satisfy the ability of choosing machines is going to use Vir the physical NIC This is possible as default tual machines shall have ac through settings of the virtual machine cess to the hardware Partially Students will be able to Both hypervisors KVM and VirtualBox will choose how much memory etc the virtual machines are going to use Within defined limits be able to let the user choose how much mem ory CPU etc each virtual machine will be able to use we haven t looked at how the hypervisor can create limits for the users 45 OurBox Yes The student will not be able Student will only have administration rights on to make changes on the host their own virtual machines nothing else only make changes to running VM s Yes After a student has created a This works The students are able to take snap snapshot the snapshot should shots on the immutable image They are also be able to be stored on the able to delete the snapshots which makes them host so that later the student go back to the original immutable image can find that VM on the same host Yes Each virtual machines must Default both VirtualBox and KVM will have be separated no shared fold virtual machines separated from each other It
106. osixAccount class This is an auxiliary class and adds cn uid uidNumber gidNumber andhomeDirectory mandatory attributes and userPassword loginShell gecos and description as optional attributes Because posixAccount is auxiliary we can add it to our person object for people we want to be able to authenticate e Password When we use no encryption when we authenticating a user against the LDAP server the password is sent in plaintext on hexadecimal form No Time Source Destination Protocol Lengtt Info 133 24 667793006 10 10 0 70 128 39 140 19 TCP 74 47089 gt ldap SYN Seq 0 Win 29200 Len 0 MSS 1460 SACK PERM 1 TSval 1897621 TSecr 0 WS 128 134 24 66931000 128 39 140 10 10 10 0 70 TCP 78 ldap gt 47089 SYN ACK Seq 0 Ack 1 Win 16384 Len 0 MSS 1460 WS 1 TSval 0 TSecr 0 SACK PERM 1 135 24 669349006 10 10 0 79 128 39 140 10 TCP 66 47089 gt ldap ACK Seq 1 Ack 1 Win 29312 Len 0 TSval 1897621 TSecr 0 136 24 66942100 10 10 0 70 128 39 140 10 132 bindRequest 1 cn 120683 0u 12HBWUA ou student dc hig dc no simple 137 24 672621006 128 39 140 10 10 10 0 70 LDAP 88 bindResponse 1 success gt Frame 136 132 bytes on wire 1056 bits 132 bytes captured 1056 bits on interface 0 bTransmission Control Protocol Src Port 47089 47089 Dst Port ldap 389 Seq 1 Ack 1 Len 66 Lightweight Directory Access Protocol wLDAPMessage bindRequest 1 cn 120683 0u 12HBWUA ou student dc hig dc no simple messageID 1 vprotoco
107. ost user loggs in and gets a interface from libvirt e virtmangeager talks to the libvirt deamon e user has to be added to the virt manager on e Virsh CCi The quem kvm package is more like a binary translator which will not let KVM to talk directly with the HW and this will slow down the VMs Not cool http wiki qemu org Index html Kiosk mode er hva vi vil ha opp e hvordan skal man stoppe fra en bruker fra krysse ut bilde nar kiosk mode er oppe Describe it when we test it the test Dont think much about HPV men mer om hvordan l sningen med libvirt og virtmanges GUI Do a sruvay on the managment managment part google local libvirt root group o Next week M te med Jon Jon alt solutions end of week new pc reaserched more on the manger 59 OurBox e Han mener at vi kan engelt bruke virtual box o virtual box kan man lage en virtual maskin som er en clone av en virtual maskin o Da kan vi lage en root VM som da kan bli clonet som kan brukes o Dropp VM ware fra tankene o VM vil skape mer problemer og en del mer vedlikehold e Imutable disk images e Vi stilte dette sp rsm let om Kiosk mode med virtualbox o Han tror det ikke egentlig det ikke finnes o Han sier at det kan v re mulig hacke det til e Nevnes i forhold til sikkerhet at de har tilgang til HW s sikkerhet e Hvorfor skal man kunne m tte starte en VM for tilgang til putty e Lillemyk skal v re med s m vi ha virtualisering e
108. ountryCode 0 homeDirectory moa stud hig no home 120683 homeDrive H badPasswordTime 130758073772686499 lastLogoff 0 lastLogon 130758074239599687 pwdLastSet 130715710708939558 primaryGroupID 513 profilePath moa stud hig no profile 120683 objectSid AQUAAAAAAAUVAAAAILENI KgyGgHSTsrkKG4AAA accountExpires 9223372036854775807 logonCount 30 sAMAccountName 120683 sAMAccountType 805306368 userPrincipalName 120683 hig no lockoutTime 0 objectCategory CN Person CN Schema CN Configuration DC inu DC no 26 5 52 53 54 55 ON A PWN OurBox lastLogonTimestamp 130758016306697411 mail 120683 hig no mobile 93217041 msSFU30UidNumber 48157 msSFU30HomeDirectory srv stud moa home 120683 Definition of the Idapsearch command see line 1 3 in listing 4 2 e x Use the basic authentication method no SSL or certificate involved e h The LDAP server e b The baseDN the base node where the search will start e p Portnumber default 389 e D The user bindDN that are going to perform the lookup since the AD server doesn t support unauthorized requests e W Prompt the password instead of adding it in planetext with the search e samaccountname search for the student number The response from the AD server returned many attributes followed by a value Those attributes can now be used for new queries when we start with mapping 4 1 2 Configuring LD
109. out Solution Add rmmod mei me into the startup fil etc rc local Source https bbs archlinux org viewtopic php id 168403 02 02 15 e Trying to find more information about different hypervisors We have three hypervisors which we will take a closer look at which are o KVM m A lot of good definition around virtualization KVM libvirt and virsh http www linuxnix com 2013 02 kvm get hypervisor and quest virtual machine details html m Libvirt has several permission authentication rules e https wiki archlinux org index php libvirt User_permissions e https www suse com documentation sles11 book_kvm data sec libvirt_connect_auth html e A default install of libvirt will typically use polkit to authenticate the initial user connection to libvirtd This is a very coarse grained check though either allowing full read write access to all APIs or just read only access The polkit access control driver in libvirt builds on this capability to allow for fine grained control over the operations a user may perform on an object https libvirt org aclpolkit html o VMware ESX o Xen 04 02 14 e M te Fortalt litt om kvm med libvirt til begge 58 OurBox o Libvirt know alot of about how this work in general libvirt org apps o There should be a mechanisem in libvirt to differ Admin and Users o Snakke med Jon ASAP the brenner p dass o Erik recommends Kvm libvirt deamon as a service on the h
110. over what s new in version 3 13 13 N OO ON QA PWN OurBox The Three Scope Options SCOPE BASE SCOPE CNELEWEL SCOPE SUBTREE A Jas ae OR 5 Figure 2 Example of scopes I Basa cf OD Search nsled conf mapping This is how a mapping in Ubuntu may look like against an active directory server Listing 3 2 Mapping in nsled conf filter passwd amp objectClass user map passwd uid sAMAccountName map passwd gidNumber primaryGroupID map passwd homeDirectory homeDirectory map passwd gecos description map passwd loginShell bin bash map passwd uidNumber msSFU30UidNumber filter shadow amp objectClass user map shadow uid sAMAccountName map shadow shadowLastChange pwdLastSet Line 1 8 isa command for setting a search filter for a specific map This sets the passwd shadow filter attribute to user default this is set to postixAccount Line 2 9 uid is the attribute which tells the username of the user Line 3 gidNumber is the ID of the group which the user will be a member of Line 4 homeDirectory is where the homedirectory will be mounted Line 5 gecos contains general information Usually the name of the account owner 14 OurBox Line 6 loginShell is what kind of shell the user will be prompted Line 7 uidNumber is the UID number of the user Line 10 shadowLastShange is the attribute which tels when the user s password was last changed 3 4 Explanation
111. p with AD o http thejoyofstick com blog 2012 03 31 authenticating linux users against micr osoft active directory o host carol hig no base ou student dc hig dc no Idap version 3 binddn cn 120683 ou 12HBWUA ou student dc hig dc no bindpw MY PWD pam_login_attribute sAMAccountName m THE TUTORIAL ABOVE DID NOT WORK e https wiki samba org index php Local user management and authentication nslcd 27 03 15 e Tryed to follow this link https help ubuntu com community LDAPClientAuthentication But something went wrong with the authentication of my account Will work with this later on o Couldn t get this to work either 30 03 15 e Tried this video https www youtube com watch v kSCx3tzCOcA o Couldn t get this to work either e Trying this tutorial http naidutrk blogspot de 2012 03 setting up Idap client authentication html o Couldn t get this to work either Nothing happens besides the usual login prompt to ourbox local user e NOTE To check the log when we cannot log in with an account visit Ivarlloglauth log I have authentication problems with my own connection to LDAP with error message gt nss_ldap could not connect to any LDAP server as cn 120683 ou 12HBWUA ou student dc hig dc no Can t contact LDAP server gt nss_ldap failed to bind to LDAP server Idap 128 39 140 10 Can t contact LDAP serourever When we boot up the host the host tries to set up an connection with the LDAP server b
112. pp er ikke gitt kom med forslag Ikke n dvendig men til slutt hadde det v rt fint om det hadde v rt muig boote opp en VM via VPN snakk med John han har ideen bak dette Mulighet med virtualbox Alt handler om selve Supervisoren og begrensningene der S k nettet om fordeler og ulemper tilfredstiller l sningen kravene Til slutt skal det v re mulig at l reren skal kunne sitte p et sted og fyre opp VMer fra en PC dette er for spare tid med installere et VM fysisk p hver PC tidsfordriv Noen andre kan lage interfacet Hva slags supervisor hver gang eleven starter PCen skal alt v re base configurert trenger ikke host eller noe slikt ved mindre det har st rre fordeler P slutten av Bachelor oppgaven skal det v re alle de andre stegene som kreves for fortsette for f systemet 100 opp og fungerende 4 february etter kl 13 er det ikke mulig komme inn 9 30 onsdager blir det faste m ter med Thomas Uken f r og etter p sken skrive kravspesifisering til neste gang 21 01 2015 Referat fra m tet med Thomas G gjennom spec krav og se hva slags programvarer som oppfyller hva slags krav Send spec krav til Thomas Hvis noe KOSTER NOEN TUSEN KRON ER FO REN LISENS SA GAR DET GREIT MEN ELLER NEI 1 2 ukene Lag pros cons av programvare o lage timetable o S ke gjennom hva som finnes p markedet o start p sammenligning Vi m ta ogs hensyn til om servisen komme rtil v re slu
113. py on write VMs Otherwise we cannot create VMs the qcow2 file must be created first which is at minimum ca 192K The problem here is m We have to pre define how many VMs a user can create m 192K numb of the particular OS a user can create numb of different OSes numb of users on the system Too much unused and occupied space m When the user are going to choose a VM e g Ubuntu1 qcow2 this file will be occupied Next time the user want to choose and create a new ubuntu VM the Ubuntu1 qcow2 will still be displayed but at the end when the user presses finish with the installation of the new VM an error will occur and say that this qcow2 file is already used by another VM This can easily confuse the user and he she must remember and has an overview of what kind of files is used and not Fluxbox https help ubuntu com community Fluxbox 70 OurBox m Tried fluxbox again but we had a tip from Magnus the student assistent instead of e fluxbox amp e virtualbox m he said that we should try e fluxbox amp virtualbox m onthe same line which then works m The next we need to do is make sure that you cannot access anything through fluxbox and the virtual consoles m How to deactive the tty virtual consoles e http ubuntuforums org showthread php t 1400893 e https help ubuntu com community RemoveTTY e sudo mv tty1 conf home ourbox Desktop o It says you can either remove them or just move the
114. qd1 ST EO pZ ANL ST EO 8T PAM s ep ET Z yoieasay e tr 0 8T ST 0 8T PIM ST 0 8T PIM sepo INOG OSIAJ d U UO WA OT Josinad y ST 0 ZT ONL ST EO VO PAM S ep ET pT ayy UO s ni unas ra 6 mm ST 0 0 NL STZO ST PAM s ep T sa3eu WA 3unea4 8 ST 70 0E NYL ST ZO SZ PAM S Bp ET 59 enueu sasn ZUMM 4 L JUSUWUOJIAUI 159 94 p ST ZO YZ nl STZOTT PAM S ep ETT ulsloolu souj3ulls l amp 9 Suii u1e8 a ST ZO OT NL ST ZO VO PAM s ep ET Z uoneguuuoJul 21112305 4 S Zoor ST ZO OT NL ST ZO OT PNL s ep 0 quawasinbay e v ssosiAjadAy 1noqe m ST ZO 0 9NL STIO 6ZNYL s ep E19 Suuayed uolletujoJul amp ST TO 87 PIM ST TO LO PIM S PP ET TT pafosd ald z ST SO ST H4 ST TO 6Z nuls ep ET ZOT Bunum 10 day T A 88 3IJ N 9 3I N 9 3al 8 3 Nis PON e en judy YEN Menga Ayenuef Je sdossavapaid ysiul4 MEIS uoneung WEN ASEL ysel al OurBox T 93ed SsaJ8old mn jUo uoneing SYSE I eui 1x3 upe q rw YSEL ENUEN a Asewiuins 13 o1d E Ajuo ysiul4 JEUUUWINS APPLU Ade Mewwns ST 0 9Z NUL 1eq 3 Aluo 1ie1s 3U0IS3 N AI12eUu uol1s lN Med Ise que8 399 0 1d PA ewuwns enuey YSEL SACU sessaassannanaasia uds dn JOY 18ULUINS enuen 2U01S9 IN LUIS mw ysel so sT ST SO ST H4 ST SO ST Hd s ep 0 INOG lt 1890d38 IVNI4 e TT Sa ST SO YT NUL ST 7067 PIM s ep zT Yoda Jeu
115. r der e Deter en viktig ting kunne bruke hosten som en workstation e hvis host os er windows s funger virtual box fungerer det veldig bra 11 02 15 M te e Vi trenger ikke tenke p at kabelen skal bli dratt ut etc Hver PC skal v re tilkoblet til pod 12 hosts totalt sa thomas 2 per pod Vi m tegne opp et nettverkskart Elevene skal kunne copy paste mellom VMene Viktig at John godkjenner nettstrukturen Der alle PCene er koblet sammen til HIG backbone 98 OurBox Ikke at det er en del av oppgaven v r men han nsker at det skal v re mulig til senere configurere VMene remote Hver PC m ha en trunk med VLANS Forskjellige subnet Viktig at vi har med imutual images Erik sier at det er viktig gj re hostene selv maintable s de kommer f eks til slette temp filer etter en vis tid og updaterer seg selv etc PCene kommer til ha 32GB ram De har 15 000kr per PC bruke Erik p st r at vi burde ha en SSD o Erik synes det kan v re ogs mulig heller bestille PCer via komplett men da har de ikke 3 rs garanti avtaler med DELL Det skal burde v re forskjellige images fr de forskjellige service Erik sier at det er bedre bruke libvirt enn VirtualBox fordi det kan v re lettere sette grenser og teste n r du kan bruke commandline og pr ve teste via libvirt istedenfor en hel applikasjon Vi burde ogs fokusere p bruke CLI n r vi skal konfiguere og pr ve KVM Da
116. r authentication Authorised by a local entity cisco lab s a Guest user Groups has to exists Each group contains of one or more users They share one folder where the VMs for the group will be stored Each user virtual machine will be store in the group folder Administrators will have full permission to change configuration settings on the hypervisor Students should be able to choose which NIC the virtual machine is going to use Virtual machines shall have access to the HW Students will be able to choose how much memory etc the virtual machine are going to use Within defined limits The student will not be able to make changes on the host only make changes to running virtual machines After a student has created a snapshot the snapshot should be able to be stored on the host so that later the student can find that virtual machine on the same host Each virtual machine must be separated no shared folders etc SF shall be possible Each host will run several virtual machine s when the host is at full capacity OurBox 19 20 21 The administrator will be able to change how many virtual machine s the host can run when the host is at full capacity but this will of course be restricted to the host s hardware itself Configuration will be possible through command line or GUI A centralized management solution shall be possible OurBox 3 Theory 3 1 LDAP The word LDAP Lightweigh
117. r choose a virtual machine e g Ubuntul qcow2 this file will now be oc cupied Next time the user want to choose and create a new Ubuntu virtual machine the Ubuntul qcow2 will still be displayed but at the end when the user presses 4AIJfinishaAI with the installation of the new virtual machine an error will occur and say that this qcow2 file is already used by another virtual machine This can easily confuse the user and he she must remember and have an overview of what kind of files is used and not 41 I ON CA U Nel 10 I ON CA QU Nel 10 11 12 13 OurBox 4 5 2 Conclusion of the Virtualbox DefaultVM sh final As mentioned in section 1t is needed to change the permissions on the vdi images To make it easier for the administrator now all he as to do is to have a folder which is named os on the administrators desktop Then Listing 4 23 will take care of the permissions of every image inside the folder It will also change the permission for the os folder The script runs only one time and that is at installation or if there are new vdi images Listing 4 23 verifyNewOSes sh bin bash admin chmod 755 home admin Desktop os for file in 1s 1 home admin Desktop os vdi awk 4 print 9 do chmod 755 file done Listing 4 24 DefaultVMScript sh bin bash admin me whoami os for oses in 1s 1 home admin Desktop os awk print 9 P
118. rc Port ldap 389 Dst Port 46521 46521 Seq 23 Ack 288 Len 315 Lightweight Directory Access Protocol wLDAPMessage searchResEntry 2 CN 120683 0U 12HBWA OU Student DC hig DC no 1 result messageID 2 wprotocolop searchResEntry 4 w searchResEntry objectName CN 120683 0U 12H8WUA OU Student DC hig DC no vattributes 5 itens bPartialattributeList item objectClass PartialattributeList item cn pPartialattributeList item description PartialattributeList item homeDirectory gt PartialattributeList item sAMAccountName IResponse To 91 Time 0 001739000 seconds Lightweight Directory Access Protocol wLDAPMessage searchResDone 2 success 1 result messageID 2 wprotocolop searchResDone 5 v searchResDone resultCode success 0 matchedDN errorMessage Response To 91 Time 0 001739000 seconds So there are some attributes the command needs that it s not getting We can check if a command was run successful or had any errors by entering in the CLI 84 OurBox root ourbox home ourbox getent passwd 120683 root ourbox home ourbox 2 command not found In the man page for error code for getent the code 2 indicates 2 One or more supplied key could not be found in the database o http www davidpashley com articles ldap basics m an article about Idap basics this is where we read that Another common use for LDAP is authentication of user accounts For this we can use thep
119. red If the processor doesn t have the full virtualization support KVM can still be used as a hypervisor but then the QEMU will be required What QEMU does is to perform as an emulator which binary translates the encoding between the hardware and the KVM This will not let KVM to perform at full power and will speed it down but this is a workaround Since KVM is a pure hypervisor the need of an API as a management tool is important The most widely used management tool for interacting with a hypervisor such as KVM is libvirt For a user to be able to interact with the hypervisor a user interface is needed There are many different interfaces on the market but the most common graphical interface used with libvirt is Virtual Machine Manager best known as virt manager while the most popular command line interface is virsh KVM support different guest operating systems such as Linux BSD Solaris Windows Haiku ReactOS Plan 9 AROS Research Operating system and OS X An explanation of used commands in this project e virt install Create a new container with defined attributes n given name to the virtual machine vcpu How many virtual CPUs the guest OS will be able to use r How much memory will be allocated to the guest OS disk The path where the new img container will be created 21 OurBox Figure 5 Hypervisor Management tool User interface cdrom What are going to be mounted in the CD rom Of
120. sing common keycodes if these don t work use xev to find out your real keycodes 176 Exec amixer sset Master 0 1 174 Exec amixer sset Master 0 1 160 Exec amixer sset Master 0 toggle current window commands Modl F4 Close Modl F5 Kill Modl F9 Minimize Modl F10 Maximize Modl F11 Fullscreen open the window menu Modl space WindowMenu exit fluxbox Control Modl Delete Exit change to previous next workspace Control Modl Left PrevWorkspace Control Modl Right NextWorkspace send the current window to previous next workspace Mod4 Left SendToPrevWorkspace Mod4 Right SendToNextWorkspace send the current window and follow it to previous next workspace Control Mod4 Left TakeToPrevWorkspace Control Mod4 Right TakeToNextWorkspace change to a specific workspace Control Fl Workspace Control F2 Workspace Control F3 Workspace Control F4 Workspace Control F5 Workspace Control F6 Workspace Control F7 Workspace Control F8 Workspace Control F9 Workspace voINURWUNKE 119 OurBox 107 108 109 110 112 113 114 115 116 117 118 119 120 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 Control F10 Workspace 10 Control F11 Workspace 11 Control F12 Workspace 12 send the current window to a specific workspace Mod4 F1 SendToWorkspace Mod4 F2 SendToWorkspace Mod4 F3 SendToWorkspace
121. sled conf containing the same attributes as in Idap conf only that the syntax is a little bit different when mapping with AD see Listing 3 2 Mapping with AD AD and Unix has roughly the same attributes but uses different names therefore the mapping process is needed 15 O XO OO O Q RAR OurBox In the Idap conf file there are 10 commented default lines which is meant to help when setting the mapping against AD Those lines are Listing 3 3 Correct mapping RFC 2307 AD mappings fnss map objectclass posixAccount user finss map objectclass shadowAccount user fnss map attribute uid sAMAccountName fnss map attribute homeDirectory unixHomeDirectory fnss map attribute shadowLastChange pwdLastSet fnss map objectclass posixGroup group fnss map attribute uniqueMember member fpam login attribute sAMAccountName fpam filter objectclass User fpam password ad The syntax starts first with the mapping command followed by the Unix s attribute name and then the AD s name of the attribute Mapping explanation e nss_map_objectclass Maps an objectClass which is a collection of attributes e nss_map_attribute Maps the attribute An attribute contain data e pam login attribute The user ID attribute e pam_filter Filters PAM for user information e pam_password Creating unicode password and updating unicode password attribute 3 5 nsswitch conf This is the configuration file located in etc
122. sn t running this command as root the user needs to start user session with the qemu hypervisor Line 15 Line 14 created a new virtual image and automatically started the machine If many virtual machines will start simultaneously the host will run slow Therefor we force pow ering the virtual image off The step above is also possible to do in the virt manager GUI The problem is that this is not straightforward This is not a problem if the qcow2 file is in the folder VirtualMachines To make a user be able to do this we can follow this step by step guide 24 Step 1 Create a new VM from Import existing disk image option Step 2 Choose your qcow2 image Step 3 Select Customize configuration before install before you go forward note without this step you will got a non bootable message from the virtual machine Step 4 Identify the qcow2 format to the image and begin installation Disk1 Advanced op tions Storage format qcow2 Begin Installation 38 Q N ZA DO UU N o OurBox 4 4 2 Virtualbox implementation Installation of Virtualbox There are several versions of Virtualbox and extension packs which gives Virtualbox different features We needed to be able to bridge the USB ports from the host machine to the virtual machine To accomplish this we had to install an extension pack on the host machine Every version of Virtualbox has its own extension pack whereof the newest releases has
123. sts of completion of the project are covered as follows Employer covers completion of the project such as materials phone fax travelling and necessary accommodation on places far from GUC Students cover the expenses for printing and completion of the written assienment of the project The right of ownership to potential prototypes falls to those who have paid the components and materials and so on used to make the prototype If itis necessary with larger or specific investments to complete the project it has to be made an own agreement between parties about potential cost allocation and right of ownership 3 GUC is no guarantor that what employer have ordered works after intentions nor that the project will be completed The project must be considered as an exam related assignment that will be evaluated by lecturer supervisor and examiner Nevertheless it is an obligation for the performer of the project to complete it according to specifications function level and times as agreed upon 4 The total assignment with drawings models and apparatus as well as program listing source codes and so on included as a part of or as an appendix to the assignment is handed over as a copy to GUC who free of charge can use it in lessons and in research purpose The assignment or appendix cannot be used by GUC for other purposes and will not be handed over to an outsider without an agreement with the rest of the parties in this agreement T
124. sword AttrabuteDescription uidnunber AttributeDescription gidmunber Attributebescriptian cn AttributeDescription homedirectory AttributeDescriptian loginshell AttributeDescription gecos AttributeDescriptian description Attributedescription objectClass Response In 17 sAMAccountName 121088 CLI returns 121088 15578 99999 0 Wireshark Protocol Lengtt Info TP Loap LDAP cP LDAP LDAP TCP TCP 66 41825 gt Ldap ACK Seq 1 Ack 1 Win 29312 Len 8 Sv 132 bindRequest 1 cn 120683 ou 12HBNUA ou student dc hig dc no simple 88 bindResponse 1 success 66 41825 gt Ldap ACK Seq 67 Ack 23 Win 29312 Len 0 TSV 88 searchResDone 2 success 9 resul 73 unbindRequest 3 66 Ldap gt 41825 ACK Seq 45 Ack 286 Win 65251 Len 8 TSval 22518778 TSecr 3717286 66 41825 gt Ldap ACK Seq 286 Ack 46 Win 29312 Len 8 TSval 3717286 TSecr 22510778 82 117286 TSecr 22510778 OurBox 14 04 15 e Interesting When we enter id 121088 the PC takes a LDAP search sAMAccountName 121088 and the LDAP server response is successful with alot of information about this user However the prompt returns that there are no users with id 121088 59 10 286837086 19 10 0 239 128 39 140 10 TCP 66 52983 gt ldap ACK Seq 1 Ack 1 Win 29312 Len 0 TSval 295657 TSecr 0 60 10 286866006 19 10 0 230 128 39 140 10 Loap 132 bindRequest 1 cn 128683 ou 12HBWUA ou student dc hig dc no sinple 61 10 290131006 128 39 140
125. sword ad To get the login screen lightdm to not show a list of users which it will do as a standard for ubuntu we need to add some customization o We need to add a file in etc lightdm m just add lightdm conf there e Then put in the lines 86 OurBox o SeatDefaults greeter hide users true greeter show manual login true o greeter hide users true m This makes so that you don t get a list of users as you usually do o greeter show manual login true m this makes it possible to enter a username and a password o Sources m http www tejasbarot com 2014 04 25 hide users login as other user fro m login screen ubuntu 14 04 Its trusty tahr axzz3XYz25ual m https wiki ubuntu com LightDM e Trying to reconfigure everything with libpam Idapd o which contains packages Idap utils libnss Idapd libpam Idapd nscd nsicd m http arthurdejong org nss pam Idapd nsicd conf 5 m http linux web cern ch linux docs account mgmt shtml 20 04 15 e Got NSLCD to work This is the etc nslcd conf conf with letclnslcd conf nslcd configuration file See nslcd conf 5 for details The user and group nslcd should run as o uidnslcd gidnslcd o The location at which the LDAP server s should be reachable o uri Idap 128 39 140 10 o The search base that will be used for all queries o base ou student dc hig dc no o The LDAP protocol version to use 87 OurBox ldap_version 3 The
126. t Directory Access Protocol is a protocol used for access ing and maintaining information over the internet The main purpose of this protocol is that it can send and retrieve records with a hierarchical structure e g information about persons mail lists phone lists etc This protocol can also be used when we want to compare an attributes value against another value An LDAP server is referred to a server running software like Active Directory Windows or OpenLDAP Linux supported list of LDAP softwares 8 and these are servers that a client can authenticate users against 32 PAM 3 2 1 What is PAM PAM Pluggable authentication module 9 is a mechanism framework which makes it possi ble for applications to authenticate against an LDAP server and authenticate related activities While LDAP is the protocol where the information goes forth and back PAM is a library with all necessary code for an application to perform an authentication against an LDAP server The core pieces of PAM are a library libpam and a collection of PAM modules which are dynamically linked libraries so files in the folder Nib security 3 2 2 Advantages of PAM 1 It provides a common authentication scheme that can be used with a wide variety of applications 2 Itallows great flexibility and control over authentication for both the system administrator and application developer 3 Itallows application developers to develop their
127. t this does is that when a user logs onto the machine the user will not have a choice between the two different desktop environments see Figurd9 Startup file As default Virtualbox also needs to start when the user logs into the system That is where the startup file comes in as mentioned in section 3 7 2 that the startup file is generated by the usr bin startfluxbox We had to edit this file to start Virtualbox in our installation script Listing 4 16 Insert into startfluxbox sed i s exec fluxbox exec virtualbox amp n exec fluxbox g usr bin startfluxbox This replaces the line in startfluxbox where it says exec fluxbox with exec virtualbox amp exec fluxbox Where the 8 means run in the background 43 TTY TTY consoles or Virtual consoles needs to be removed from the etc init folder so that the user cannot enter any CLI We accomplished this by moving the etc init tty conf files with our installation script by adding Listing 4 17 Move TTY consoles mv etc init tty1 conf home username Desktop mv etc init tty2 conf home username Desktop mv etc init tty3 conf home username Desktop mv etc init tty4 conf home username Desktop mv etc init tty5 conf home username Desktop mv etc init tty6 conf home username Desktop Where Username is the name of the administrator on the host machine 4 4 Hypervisor Our employer wanted it to cost as little as possible so we
128. t would be to make the management of system centralized and make it more secure Our thought has been to develop a working prototype there are still some work to do before it is finished E g encrypting the data going between the host and the AD server This is very critical and must be improved which in theory can be solved by adding a SSL certificate to the host The skeleton of the system is done An improvement might be that for the vdi images you might want to have them on a server so that the virtual machines does a pxe boot when creating new virtual images 47 OurBox Another thing will be to make it possible for guest users to use the system since there are some problems with the guest user only being a temporary user You will have to customize the guest session Here might be a solution 26 All the missing requirements in 5 IJis also something that should be considered future work 5 4 Evaluation 5 4 1 Introduction Working with this project has been challenging and interesting This project was our first pick and we where lucky to get it At first we where not sure what this task was about We knew it had something to do with virtualization and Cisco so that peaked our interest As we asked Thomas more questions and learned more about what he wanted we realized that we misunderstood what the task was about We had big plans of what we where going to make We thought at first he wanted to have everything centralized
129. talled the system you won t be able to log into the Unity aka Ubuntu but only Fluxbox Same with the users 3 Switch the Desktop If there is anything you as an administrator needs to be done what you do to get back to the regular Ubuntu desktop 1 2 9 Step Log on as the administrator Step Right click on the desktop Step Enter the submenu Switch Environment Step Select the Unity Step Log out Step Left click the circle in the login prompt it should be in the top right See figure 1 Step Select Ubuntu See figure 2 Step Now you you got the regular ubuntu here you can do your config uration Step Now that you are done with what you needed to do log out 10 Step Do the same you did in step 6 7 except you choose Fluxbox 11 Step Do the same in step 3 4 except you choose Fluxbox 4 Semester maintenance Our recommendation is to just redo section 2 installation Since there will probably be a lot of user that has logged onto the system and then they also will have a home folder on the machine and their user will be in the accounts on the system 106 OurBox 5 How to make an image 1 Step Download the desired operating system Step Open Virtualbox Step Select New Step Enter desired name for the image and OS version Click Next Step Select how much memory Preferably 2048 MB Click Next Step Select Create a Virtual hard drive now Click Cre
130. teknik we would to this Idapsearch x h 128 39 41 128 b dc hig dc no p 389 8 uid 120683 ou Avdeling for informatikk og medieteknik 18 03 15 M tereferat e Vi m ha testing p planen e F lger det gant skjemaet opp kravspecc Sp r Erik e Les om user acceptance f r vi gj r testing og f r vi skriver om det o Det burde v re i henhold til kravspec m Bruk Thomas de assistentene og 2 andre random Maks 5 m 15 20 April burde vi gj r det Vi kan ikke n 27 mars 10 april Thomas e M te med Erik den 10 april og m te med Thomas den 15 april hvor vi snakker om hvordan vi skal teste 20 03 15 e Started working a little bit on the report e LDAP o If we want to check a user with uid 120683 and compare the username Maluchev we can compare this by first specifying the full DN and then the sn Idapcompare x h 128 39 41 128 uid 120683 ou Avdeling for informatikk og medieteknik dc hig dc no sn Maluchev gt TRUE This will return true false or an error message o If we have an account in the Idap directory we can try this link http www unixmen com configure linux clients authenticate using openldap 23 03 15 e Some nice general information around PAM o https www digitalocean com community tutorials now to use pam to configure authentication on an ubuntu 12 04 vps e Some nice information on how to authenticate with Idap using libpam_ldap https Awww digitalocean com community tutorials how to
131. ten a path to a iso accelerate Use kernel acceleration capabilities import Used when an existing disk image is already made e emu img create Is used when a new image is created e g create a qcow2 image of a img f Is used to specify the format of the source image b Defining the source image and the destination image b path to source img path to destination qcow2 3 8 3 Virtualbox With Virtualbox the user get a user interface where users can create virtual machines which is easy to use and the administrator gets the possibility to make virtual machines trough CLI VBoxManage The administrator also has the opportunity to restrict certain options for the user interface with the CLI 21 VBoxManage Listing 3 7 VBoxManage commands 6 1 VBoxManage createvm 22 OurBox 2 VBoxManage modifyvm 3 VBoxManage storagectl 4 VBoxManage storageattach createvm creates a virtual machine so it is possible to see it in the GUI modifyvm an administrator can do a lot of different things to modify the virtual machines that has been created storagectl attaches removes or adds a storage controller storageattach attaches removes or adds a media to the storage controller There are alot more information in the manual which is not mentioned here but these commands are essential to this bachelor thesis 3 9 Profile d etc profile d is a collection of scripts which runs as a user logs in T
132. the diagram is the activities listed up and on the right side is the time scale we think will be suitable for each activity Notice that there are 5 deadlines marked with OurBox red and those will be very important to not override It s also Important to have in mind that this gantt diagram is a working plan we think will be the right way to work after Often there are problems which comes along the way and therefor the schedule must be changed And yes when we was half way in the project we needed to create a new gantt diagram which was more specific and precise see Figure on page 7 The new gantt diagram shows that our first working plan were relatively good structured when it comes to the time scope and how much time we needed for getting those activities done However we spend more time then we thought on testing and making the final decision on which hypervisor we are going to use 1 6 Roles In this project there will be four persons involved e Employer Is the one who have given us this project He is the system s owner Thomas Kemmrich e Tutor He will be our tutor throughout this project He will help us if we get something we don t know how to do He is not responsible to give us the answer to the problems along the way but he can tell us a possibility how to solve a problem Erik Hjelm s e Project leader Stepan Maluchev e Member Team worker on this project Gavin Thomas Garrad 1 7 Terminologi
133. the groups name mounting point and shell Listing 4 7 getent passwd 121088 121088 121088 513 Gavin Thomas Garrad 1imoa stud hig nolhome1121088 bin bash 4 1 4 Configuring LDAP Mapping mounting directory Now that the loginshell has been specified to be bin bash which is the default CLI the user got an empty shell containing nothing inside The user must be mounted in the local home directory with its own username and not the remote place as AD server says Therefor the home directory attribute needed to be changed First we tried overriding the attribute like this Listing 4 8 getent passwd 121088 nss_override_attribute_value homeDirectory home 121088 This gave the user a shell in the specified directory but if another user tried to log in they too will be granted to the same directory What we needed was to have a dynamic configuration file where we could use a variable to store the username This way every user would get its own home directory Since the package libpam Idap see section 3 4 had its main configuration file for LDAP in a non dynamic file we upgraded the package to libpam Idapd see section 3 3 This package used etc nsled conf as its main configuration file 31 OurBox Listing 4 9 Mapping with AD nslcd conf filter passwd amp objectClass user map passwd uid sAMAccountName map passwd gidNumber ASIA map passwd homeDirectory home sAMAccount
134. tten av april skal vi v re ferdig med det fysiske ogs skal vi bruke 2 uker til skrive ferdg rapporten N r vi skriver p en ting men plutselig str vi fast s skriv p noe annet og fordele oppgaven F r p ske burde vi pr ve og feil s etter det m vi skrive en del og f ting til funke i rapporten VI m finne ut en l sning for hvordan vi skla a i bruk LDAP til authorisering Authoriseringen hadde v rt fint om det var mulig med med gjeste grupper slik at folk som ikke er studenter her f r ogs tilgang John sier mener Thomas at VirtualBox kan tilfredstille mange av kravene I l pet av februar s burde vi v re ferdig med hvordan alt skal v re og klare til starte med jobbe fysisk Thomas sier at vi minimum skla ha 2 NIC men hvis flere trengs s er ikke det et problem 96 OurBox e 802 1q Cisco standard ta no slag se hva det inneb rer for han nsker at NIC kommer til ha st tte for det 28 01 15 Referat fra m te e Ang ende 1 del innleveringen var o M let med denne oppgaven er ikke bygge store nettverk men til en senere anledning skal det v re mulig Second step Hoved poenget i dette stedet er s ha en hypervisor som er avgrenset med grupperettigheter o taskdescription as bulletpoints Frode skulle vist ha noen lynkurs i hvordan man laget kravspec e Det m v re mulig copy paste mellom de forskjellige VMene e 10 februar skal vi v re ferdig med kravspec og hvorda
135. uniqueMember member pam login attribute sAMAccountName pam filter objectclass User pam password ad o Jon mentioned maybe why the user logs out instantly is because it doesnt have a homedirectory and it doesnt know what shell the user is using 08 04 15 Writing on the analyse part on the report Now when we log in with our student number and right password we will be authenticated through the AD but since the host don t know where the home directory is we will automatically log out In the log file it looks like this 8 8 8 8 8 8 The log says that the user cannot be found but it opens a session for the user Not sure why we get this error message but John said that the error came because a missing knowledge of what homedirectory to mount Trying to understand how we can use the UID from the AD to create a user on the host with a new local homedirectory o Cannot figure out this TIPS If we need to reinstall the OS we only need to install those package to setup Idap sudo apt get install libnss Idap Idap utils o Update the pam files pam auth update 19 OurBox 10 04 15 e Reading this which is the RFC for AD mappings in Idap o httpi www rfc base org txt rfc 2307 txt o http manpages ubuntu com manpages quantal man8 pam_mkhomedir 8 html o https cdc iseage org tutorial pam Idap authentication active directory debianu buntu e When we try to SSH into the host we get this error msg p p r 1
136. ut fails 71 OurBox o First I tried to make an Idapsearch with the same binddn and I got an connection Idapsearch x h 128 39 140 10 b ou student dc hig dc no p 389 D cn 120683 ou 12HBWUA ou student dc hig dc no W samaccountname 120683 m How to make an Idapsearch http blogs splunk com 2009 07 30 Idapsearch is your friend e NOTE file etc nsswitch conf let us set where the credentials like password groups shadow will be gathered from The default is compat or files which means that the information is to be find on the local machine In our case we must set Idap after the files This way if the user is not found on the local machine it will try to authenticate through the Idap server For now we cannot get the connection with the LDAP server with our username o More info about nsswitch conf http searchitchannel techtarget com feature Using nsswitchconf to find Linux system information e People say that we should use sssd rather than nss_ldap pam_ldap or nscd http serverfault com questions 626527 client authentication invalid credentials Idap o When installing sssd on ubuntu server 14 04 there are no default sssd conf file in etc sssd but there are one located in usr share doc sssd common examples sssd example conf Now we need to copy that one into etc sssd sssd conf cp usr share doc sssd common examples sssd example conf etc sssd sssd conf m http askubuntu com questions 247763 why is my
137. where recommended by our tutor and others to look at KVM and Virtualbox 4 4 1 KVM implementation First we installed the KVM package libvirt and the desktop user interface virt manager Listing 4 18 Install KVM sudo apt get install kvm libvirt bin virt manager 36 OO WON GCN Q OQ L N Q 15 16 17 18 19 OurBox Next we created an img from a iso file We set the rx permission to the img file because users must be able to execute and read the file to be able to create a personal qcow2 image Listing 4 19 Create a img virt install n ubuntu vcpu 1 r 1024 disk path home ourbox Desktop libvirt ubuntu img size 8 cdrom home ourbox Desktop os ubuntu 14 04 2 desktop amd64 iso accelerate sudo chmod 755 home ourbox Desktop libvirt ubuntu img Now a Ubuntu image was created and was read and executable of everyone but only ourbox admin could write to it In the etc profile d we created a script that created 5 qcow2 images Listing 4 20 defaultLibvirtFile sh bin bash me whoami CS gt user if Sme user then if d VirtualMachines then mkdir VirtualMachines fi for i in 1 5 do if I f VirtualMachines ubuntu i qcow2 then qemu img create f qcow2 b home ourbox Desktop libvirt ubuntu img VirtualMachines ubuntu i qcow2 if i lt 1 then virt install
138. y for a user to copy and paste from host to the VM and vica versa 25 This seemed very unstable and did not work all the time Because the grouping was scheduled after the authentication part which took longer than expected there were no time left to research and implement it We do have a theory of how it could be implemented which is every user gets their own group which they then administer and can add users into We do not know if this is possible or not but it would be ideal if it was Since Thomas has mentioned he do not want to administer the grouping of the students He wants a project leader to be able to add other students into his group and they have access to the same virtual machines 5 2 Critic to the thesis We tried to make the host machine as secure as we could with limiting the possibility for a user to tamper with the host machine but since the users has access to the hardware there are limits to how secure we could make it We have also mentioned to our employer that an authentication through LDAP might not be the best way since this means that the host machine always needs to be connected to the network As the user has access to the hardware this might not always be the case but the only downside is then that they will not be able to log into the machine We had set up a week for testing which we did not get to do since we used much of our time on the authentication 5 3 Future work The continuance of this projec
139. y new user This could be done in the etc pam d common session where we had to add this line Listing 4 10 Make a home directory session required pam_mkhomedir so skel etc skel umask 0077 32 NO OurBox Since the definition for the common session 1s Allocates the resources that a user might need during a login session for example mounting the user s home directory setting resource usage limits printing a message of the day etc We require to use the pam_mkhomedir so module which is a module that gives users new default home directory The etc skel is a directory containing all the necessary files and direc tories that will be copied automatically over to the new user s home directory The umask 0077 sets the privileges for the users which in this case will prevent users from entering others home directories use 0022 for giving the users more access 4 2 Desktop Environment 4 2 1 Unity greeter The original greeter will show a list of users that has already logged in What we want is when a user turns on a machine the user must be able to enter his hers student number and password and not see any list of other users How we did this is by adding a file in etc lightdm lightdm conf and insert the lines Listing 4 11 lightdm conf SeatDefaults greeter hide users true greeter show manual login true allow guest false 4 2 2 Window manager Profile d We tried to launch
Download Pdf Manuals
Related Search