Blog Entry

Fun fun fun - server consolidation time in my home office. I was retiring some old, old Compaq servers.
Here is my 'how-to' guide - maybe some of you will find it useful.
Posted at: Provo, UT
The new hardware is a Dell P4, 2GB RAM, 1TB storage (4x 300GB SATA RAID 5)
Install SLES 10, no GUI, runlevel 3 only. Disable pretty much everything not needed.
I chose ext3 for /, xfs for my NAS filesystem; I've had good results using xfs - reliability and performance.
Next optimisation of the filesystem:
#/etc/sysctl.conf
# Reduces the amount of work the TCP stack does.
net.ipv4.tcp_stack = 0
# The number of inodes (fs.inode-nr) available to the Linux kernel should be 3-4 times
# greater than the fs.file-max parameter
fs.inode-nr = 128000
# Maximum number of file handles that can open at a given time (default=4096)
fs.file-max = 64000
Apply the configuration and reboot:
chkconfig boot.sysctl on
Install Kerberos Client libraries. This can be done from YAST or the ZENworks updater. The basic modules needed are:
- krb5
- krb5-client
- pam-krb5
Install the SAMBA pieces:
- samba
- samba-client
- samba-winbind
Next configuration of SAMBA and the Kerberos environment; I found that using YAST wouldn't let me set this up correctly. The two files are /etc/krb5.conf and /etc/samba/smb.conf
Note that krb5.conf expects everything AD related in upper case. Took me a few tries to realise that.
I've cleansed the real information - for the record there is no AD infrastructure at evilzenscientist.com - it's just illustrative.
Active Directory server: 192.68.0.16, EZS-KDC
Active Directory tree: ezs-ad.evilzenscientist.com
Active Directory 'domain': EZS-AD
#/etc/krb5.conf
[libdefaults]
default_realm = EVILZENSCIENTIST.COM
clockskew = 300[realms]
EVILZENSCIENTIST.COM = {
kdc = 192.168.0.16
default_domain = EZS-AD
admin_server = 192.168.0.16
}[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.EZS-AD = EVILZENSCIENTIST.COM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
try_first_pass = true
}
Next is the SAMBA configuration /etc/samba/smb.conf
#/etc/samba/smb.conf
[global]
workgroup = EZS-AD
realm = EZS-AD.EVILZENSCIENTIST.COM
password server = EZS-KDC.EZS-AD.EVILZENSCIENTIST.COM
security = ADS
encrypt passwords = yes
server string = %h SAMBA %v SLES 10winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes[data]
comment = data
read only = no
path = /data
user = @"EZS-AD+domain users"
Next is the Active Directory authentication configuration.
Edit /etc/nsswitch.conf - and make sure that these lines are present:
#/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
Reboot and then test the Kerberos implementation:
kinit administrator@EZS-AD.EVILZENSCIENTIST.COM
This should prompt for a password and return no errors. Note that time sync between the client and the AD KDC server needs to be pretty tight. Look at using NTP.
Join the server to the AD domain:
net ads join
Using short domain name -- EZS-AD
Joined 'EZS-NAS' to realm 'EZS-AD.EVILZENSCIENTIST.COM'
There are some testing steps; look at the getent tool:
getent passwd
getent groups
These should return users and groups from the AD world.
That's it for now; I'm the happy owner of a good, fast NAS box that is integrated into my Active Directory.
For the record - I have found that SLES 10 + SAMBA is about 30% faster than a Windows 2003 server on the same hardware. Cheaper and Faster - now that's a result.
Related Articles
User Comments
So SLES10 with SAMBA is
Submitted by Jim Webb (not verified) on 7 December 2006 - 7:36pm.
So SLES10 with SAMBA is cheaper and 30% faster yet you use Active Directory for this example which requires you buy Windows server. Kinda defeats SLES being cheaper? Why not give an example using OpenLDAP or eDirectory which can both run on the SLES server? I'm not trying to give you a hard time but a Novell employee giving an example using Active Directory?
- Be the first to comment! To leave a comment you need to Login or Register
It wasn't an example - it
Submitted by Martin Buckley (not verified) on 7 December 2006 - 11:30pm.
It wasn't an example - it was a real server consolidation:
Fun fun fun - server consolidation time in my home office. I was retiring some old, old Compaq servers
Yes - I use Active Directory. I have a requirement for it. I also use Vista RTM, Windows XP and most Microsoft products. I would be more shocked that people in Novell were not using these.
I wrote up the installation and integration because I couldn't find anything similar for SLES 10 on the net.
If it doesn't help then fine. If it does - then I'm happy.
- Be the first to comment! To leave a comment you need to Login or Register
Jim is right. I would rather
Submitted by M. Duran (not verified) on 9 December 2006 - 10:42am.
Jim is right. I would rather see a eDirectory instead of Active Directory. This is also nice for the people using AD.
- Be the first to comment! To leave a comment you need to Login or Register
Good Post Martin. This is
Submitted by Grant Ballard (not verified) on 9 December 2006 - 10:01pm.
Good Post Martin. This is something that I'm sure I will come back reference in the future. Thanks for being considerate enough to document the work you went to.
- Be the first to comment! To leave a comment you need to Login or Register
Grant Thanks for the kind
Submitted by Martin Buckley (not verified) on 10 December 2006 - 6:15pm.
Grant
Thanks for the kind words.
For the other posters - I'll add an eDirectory centric version of this to my to-do list.
- Be the first to comment! To leave a comment you need to Login or Register
Martin This is awesome.
Submitted by Adam Daughhetee (not verified) on 25 January 2007 - 9:39am.
Martin
This is awesome. Sometimes people need AD and its good to know we can keep it without the newest Windows Server. Of course it can be done with eDirectory, but there is nothing interesting about that. As a consultant I need to work with Windows. I can't just turn those contracts down because its "evil" Microsoft. Also, this just goes to show the advantages of SLES and you can't do that without having the Windows to compare it with. Thanks for this. I'm sure I'll use it.
- Be the first to comment! To leave a comment you need to Login or Register


6