Pro Ubuntu Server
Administration
Sander van Vugt
Pro Ubuntu Server Administration
Copyright © 2009 by Sander van Vugt
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN-13 (pbk): 978-1-4302-1622- 3
ISBN-13 (electronic): 978-1-4302-1623- 0
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence
of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark
owner, with no intention of infringement of the trademark.
Lead Editor: Frank Pohlmann
Technical Reviewer: Samuel Cuella
Editorial Board: Clay Andres, Steve Anglin, Mark Beckner, Ewan Buckingham, Tony Campbell,
Gary Cornell, Jonathan Gennick, Michelle Lowman, Matthew Moodie, Jeffrey Pepper, Frank Pohlmann,
Ben Renow- Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh
Project Manager: Beth Christmas
Copy Editor: Bill McManus
Associate Production Director: Kari Brooks- Copony
Production Editor: Elizabeth Berry
Compositor: Linda Weidemann
Proofreader: Liz Welch
Indexer: Becky Hornyak
Artist: April Milne
Cover Designer: Kurt Krames
Manufacturing Director: Tom Debolski
Distributed to the book trade worldwide by Springer- Verlag New York, Inc., 233 Spring Street, 6th Floor,

CHAPTER 4 Performance Optimization
......................................83
CHAPTER 5 Advanced File System Management
............................109
CHAPTER 6 Network Monitoring
...........................................131
CHAPTER 7 Creating an Open Source SAN
.................................161
CHAPTER 8 Configuring OpenLDAP
........................................197
CHAPTER 9 Integrating Samba
............................................231
CHAPTER 10 Configuring Ubuntu Server As a Mail Server
....................249
CHAPTER 11 Managing Ubuntu Server Security
..............................281
CHAPTER 12 Configuring Ubuntu Server As a VPN Server
....................303
CHAPTER 13 Configuring Kerberos and NTP on Ubuntu Server
................321
CHAPTER 14 Ubuntu Server Troubleshooting
................................343
INDEX
......................................................................383
vii
Contents
Foreword
........................................................................xv
About the Author
................................................................. xvii

Completing the Installation
...................................22
Post-Installation Tasks
...........................................24
Setting Up NIC Bonding
......................................24
Setting Up Multipathing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary
.......................................................28
N
CONTENTS
viii
CHAPTER 2
Using Ubuntu Server for System Imaging
.................29
Setting Up a Clonezilla Imaging Server
.............................29
Setting Up Diskless Remote Boot in Linux
..........................30
Installing the DRBL Software
.................................31
Configuring the DRBL Software
...............................32
Setting Up the DHCP Server
.......................................33
Completing Clonezilla Configuration
................................35
Configuring the Clients for Cloning
.................................36

.......................................................81
CHAPTER 4
Performance Optimization
..................................83
Strategies for Optimizing Performance
.............................83
About /proc and sysctl
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Applying a Simple Test
......................................85
CPU Tuning
.....................................................87
Understanding CPU Performance
.............................87
Optimizing CPU Performance
.................................88
N
CONTENTS
ix
Tuning Memory
.................................................91
Understanding Memory Performance
..........................91
Optimizing Memory Usage
...................................92
Tuning Storage Performance
......................................96
Understanding Storage Performance
..........................96
Optimizing the I/O Scheduler

Optimizing Ext2/Ext3
.......................................116
Tuning XFS
...............................................124
What About ReiserFS?
......................................128
Summary
......................................................130
CHAPTER 6
Network Monitoring
........................................131
Starting with Nagios
............................................131
Configuring Nagios
.............................................135
Location of the Configuration Files
...........................135
The Master Configuration File: nagios.cfg
.....................136
Creating Essential Nagios Configuration Files
..................138
N
CONTENTS
x
Installing NRPE
.................................................152
Configuring NRPE on the Monitored Server
....................152
Configuring the Nagios Server to Use NRPE
...................154

.......................................191
Heartbeat Beyond the Open Source SAN
...........................194
Summary
......................................................195
CHAPTER 8
Configuring OpenLDAP
....................................197
Using the LDAP Directory
........................................197
Introducing OpenLDAP
..........................................201
Configuring OpenLDAP
..........................................202
Installing OpenLDAP
.......................................202
Configuring the Server
.....................................203
Adding Information to the LDAP Database
.....................215
Using ldapsearch to Verify Your Configuration
.................217
N
CONTENTS
xi
Using LDAP Management Commands
.............................220
Modifying Entries in the LDAP Database
......................221
Deleting Entries from the LDAP Database

Preparing Samba to Talk to LDAP
............................236
Preparing LDAP to Work with Samba
.........................237
Telling Samba to Use LDAP
.................................238
Using Samba As a Primary Domain Controller
......................241
Changing the Samba Configuration File
.......................241
Creating Workstation Accounts
..............................243
Integrating Samba in Active Directory
.............................244
Making Samba a Member of the Active Directory Domain
.......244
Using Kerberos to Make Samba a Member of Active Directory
...245
Authenticating Linux Users on Windows with Winbind
...............245
Summary
......................................................247
N
CONTENTS
xii
CHAPTER 10
Configuring Ubuntu Server As a Mail Server
.............249
Understanding the Components of a Mail Solution
..................249

CHAPTER 11
Managing Ubuntu Server Security
........................281
Managing Cryptography
.........................................281
Introduction to SSL
........................................282
Public and Private Keys
.....................................282
The Need for a Certificate Authority
..........................283
Creating a Certificate Authority and Server Certificates
.........284
Securing Applications with AppArmor
.............................290
AppArmor Components
.....................................290
Installing and Starting AppArmor
............................293
Creating and Managing AppArmor Profiles
...................294
Updating a Profile
..........................................299
Monitoring AppArmor’s Status
...............................299
Summary
......................................................302
N
CONTENTS
xiii

Configuring the Kerberos Server
..................................332
Configuring Generic Kerberos Settings
.......................332
Configuring the KDC Settings
................................335
Configuring the Kerberos Client
..................................339
Configuring Simple Kerberos Applications
.....................339
Logging In with Kerberos
...................................340
Summary
......................................................341
CHAPTER 14
Ubuntu Server Troubleshooting
...........................343
Identifying the Problem
..........................................344
Troubleshooting Tools
...........................................351
Working with init=/bin/bash
.................................351
Rescue a Broken System
...................................353
Working with a Knoppix Rescue CD
..........................357
N
CONTENTS
xiv

help, and some of the suggestions made by Ubuntu Server Edition’s developers and users
appear in the pages of this book.
This book covers Ubuntu 8.04 LTS Server Edition, sometimes referred to by its code-
name “Hardy Heron.” Ubuntu releases an LTS (Long Term Support) edition about every
two years. The LTS designation indicates that this release will be maintained and sup-
ported for five years by Canonical Ltd., the commercial sponsor of Ubuntu. By focusing
on the LTS edition, Sander ensures that this book will be a useful addition to your library.
I am thankful to Sander for writing a book targeted at professional administrators.
I think that it comes at a perfect time for Ubuntu Server Edition. We worked hard to make
Ubuntu 8.04 our most enterprise- ready version yet, and this book is targeted at the enter-
prise administrators who need to know about Ubuntu Server’s advanced features. Among
the new and updated features are the following:
 s )NTEGRATEDHOSTFIREWALLINGTOPROTECT)NTERNETFACINGSERVERS
 s !DDED!PP!RMORPOLICIESANDINCREASEDKERNELHARDENING
 s )NCREASEDRANGEOFSTORAGECAPABILITIESINCLUDINGI3#3)AND$2"$
 s 3UNS/PEN*$+NEWTO5BUNTU3ERVERINTHE5BUNTUDISTRIBUTION
 s !CTIVE$IRECTORYINTEGRATIONPROVIDEDBY,IKEWISE/PEN
 s !DDED+6-VIRTUALIZATIONSUPPORT
I think the fact that this book is focused on the enterprise users, that it covers the
LTS edition, and that Sander asked for Ubuntu Server community feedback all add up to
making this a good book. I hope that it is useful to you, and helps you in your adoption of
Ubuntu Server Edition.
Foreword
N
FOREWORD
xvi
/NELASTWORDABOUTTHE5BUNTU3ERVERCOMMUNITY4HOUGH5BUNTUHASACORPORATE
sponsor, a large portion of the work is done by the community. Who is the community?
Anyone who submits a bug report, helps package applications, writes documentation,
answers questions from other users on the mailing list or IRC, or helps testing. We would

trainer. Samuel taught the complete Mandriva certification program in China (JUST Uni-
versity) and also teaches Linux for LPI certification training. He is a Novell Certified Linux
Professional (CLP).
About the Technical Reviewer
xxi
T
his book is about advanced Ubuntu Server administration. In this book you will read
about topics that normally are of interest to experienced administrators. The typical
reader of this book will already know how to handle basic tasks such as managing files,
users, permissions, and services such as Apache and Samba.
I have written this book around some major themes. First of them is administering
Ubuntu Server in the data center. This theme covers typical issues that you’ll encounter
only when installing Ubuntu Server in an enterprise environment, such as connecting the
server to the SAN or configuring Ubuntu Server as a Clonezilla imaging server. You’ll also
learn how to set up high availability for services running on Ubuntu Server.
The second major theme is performance and troubleshooting. There is a chapter
about performance monitoring and analysis, which is followed by a chapter about per-
formance optimization. You’ll also find a chapter about file system monitoring and
optimization. The last chapter in the book provides extensive coverage of Ubuntu Server
troubleshooting.
The next theme comprises advanced options offered by network services. You’ll learn
HOWTOSETUPAN/PEN,$!0$IRECTORYSERVERHOWTOCONNECTYOUR3AMBASERVERTOTHAT
Directory server, and how to configure Ubuntu Server as a mail server.
4HELASTTHEMEISSECURITY4HISSTARTSWITHANINTRODUCTIONTO/PEN33,ANDTHECON-
FIGURATIONOFACERTIFICATEAUTHORITY4HECHAPTERON/PEN60.DELVESFURTHERINTOTHETOPIC
of certificates, and the chapter on Kerberos shows how you can use Kerberos to set up
secure authentication for different services. You’ll also find some in- depth information
about the configuration of AppArmor to protect your applications.
I hope that this book meets your requirements and that you enjoy reading it as much
as I have enjoyed writing it!

work installation and a simple stand- alone installation.
Server Hardware
The first major difference between a demo installation in your test network and an enter-
prise network installation is in the server hardware itself. When setting up a server in an
enterprise environment, you probably want some redundancy. You can implement that
redundancy by making sure that some devices have a backup available. For example,
most data-center- grade servers have a dual power supply, two network cards, and at least
two hard disks. The advantage? If one breaks, the server can start using the other. And the
big deal is that all of this happens automatically.
Some of the setup of this redundant hardware is done in the hardware itself. I don’t
cover that in this book. Some setup can be software based as well. For example, the use
OFSOFTWARE2!)$OR.)#TEAMINGALSOKNOWNAS.)#BONDINGMAKESSURETHATTWO
network boards are presented as one single network interface. The purpose of that ? It
can add redundancy to your network card, or if you prefer, it can increase performance
because two network cards bundled together can handle twice the workload of a single
network card working alone.
Connection to a SAN
Next, your SERVERMAYBECONNECTEDTOASTORAGEAREANETWORK3!.)FYOUVENEVER
worked with a SAN before, no worries—just consider it a bunch of external disks for the
MOMENT#HAPTERCOVERSINDEPTHSETTINGUP5BUNTU3ERVERASA3!.4YPICALLYASPE-
CIALIZEDNETWORKCARDCALLEDAHOSTBUSADAPTER("!TAKESCAREOFTHECONNECTIONTO
A3!.3UCHAHOSTADAPTERMAYUSEI3#3)WHICHSENDS3#3)PACKETSENCAPSULATEDIN)0
OVERACOPPERBASEDNETWORKORITMAYBEA&IBRE#HANNELCARDUSINGANEXPENSIVE&IBRE
#HANNELINFRASTRUCTURE
If your server is connected to a SAN, you normally would want to have some redun-
DANCYINTHE3!.ASWELL4HISREDUNDANCYISIMPLEMENTEDBYUSINGMULTIPLE("!STHAT
connect to the SAN using different network connections. Now, there is something unique
ABOUTTHISSCENARIO.ORMALLYWHENTHE("!INYOURSERVERCONNECTSTOTHE3!.ITGETS
an additional storage device. For instance, if you have a local hard disk in your server, you
would normally see it as the device

Authentication Handling
/NELASTdifference when installing your server in a network environment is that typi-
cally you would implement an external authentication mechanism. If you have only one
SERVERITMAKESPERFECTSENSETOHANDLEUSERAUTHENTICATIONONTHATSERVERITSELF(OW-
ever, if you have more than one server, it makes sense to use a service that takes care of
AUTHENTICATIONFORYOUATACENTRALIZEDLOCATIONINTHENETWORK4HISREFERSTOASERVERTHAT
has already been set up in the network for this purpose. Such a service might be your
,$!0SERVERORA-ICROSOFT!CTIVE$IRECTORYENVIRONMENT4HE5BUNTU3ERVERINSTALLATION
process helps you to set that up as well. In the next section you’ll read all about it.
Preparing for the Installation in a Network
You now know what to take care of when installing Ubuntu Server in a network environ-
ment. So let’s talk about the installation itself. In this section you’ll read how a typical
server installation in a network environment takes place. I’ll assume that you have
installed Ubuntu Server before, so I’ll be rather brief on the obvious parts, and more in
DEPTHWITHREGARDTOTHEADVANCEDPARTSOFTHEINSTALLATION"EFOREYOUSTARTTHEACTUAL
installation, you should understand what I’m going to install here for purposes of
demonstration.
The server that you are going to read about in this section has the following
properties:
 s 4WOQUADCOREPROCESSORS
 s '"OF2!-
 s &IVEDISKS
 s 4WO'IGABIT%THERNETNETWORKBOARDS
CHAPTER 1
N
PERFORMING AN ADVANCED UBUNTU SERVER INSTALLATION
4
N
Note
You may not have the hardware described here available. That’s no problem, because you can

take over easily. This is a very safe method of working, but it doesn’t offer the best
performance. Therefore, especially if you are in an environment in which lots of
files are written to the storage devices, you either should not use RAID 1 or should
create a RAID 1 array that uses two controllers to increase write speed on the
RAID. For rather static volumes, however, RAID 1 is an excellent solution.
CHAPTER 1
N
PERFORMING AN ADVANCED UBUNTU SERVER INSTALLATION
5
sRAID 102!)$OFFERSYOUTHEBESTOFBOTHWORLDSITS2!)$WITH2!)$
behind it. So, you have excellent performance and excellent fault tolerance at the
same time. There is one disadvantage, though: you need a minimum of four disks
to set it up.
sRAID 5)FYOUNEEDTOWRITEHUGEAMOUNTSOFDATA2!)$ISWHATYOUNEED4OSET
UP2!)$YOUNEEDAMINIMUMOFTHREEDISKS7HENAFILEISWRITTENITISSPREAD
over two of the three disks, and the third disk is used to write parity information
FORTHISFILE"ASEDONTHISPARITYINFORMATIONIFSOMETHINGGOESWRONGWITHONE
OFTHEDISKSINTHE2!)$ARRAYTHE2!)$SOFTWAREISALWAYSABLETORECONSTRUCT
THEDATAINAVERYFASTWAY4OPROMOTEOPTIMALPERFORMANCEIN2!)$THEPARITY
information is spread over all the disks in the array. So there is no dedicated disk
that stores this information, and that promotes very good performance as well.
N
Note
The parity information that is used in a RAID setup creates some kind of a checksum for all files on
the RAID. If a disk in the RAID gets lost, the original file can be reconstructed based on the parity information.
Apart from the RAID technologies mentioned here, there are other RAID solutions as
WELL(OWEVEREVERYTHINGELSERELATESINSOMEWAYTOTHETECHNIQUESMENTIONEDHERE)N
the example that I’ll show in this chapter, you will install a server that has a RAID 1 array
FORTHESYSTEMFILESANDA2!)$ARRAYTOSTOREDATAFILES
/NTOPOFTHE2!)$ARRAYSYOUNEEDSOMEDISKSTORAGEMECHANISMASWELL"ASICALLY

a very well- tuned index. All that makes XFS currently the best solution to store
data files.
sReiserFS: In the LATES(ANS2EISERCREATED2EISER&3AREVOLUTIONARYFILE
SYSTEMTHATWASORGANIZEDINATOTALLYDIFFERENTWAYCOMPAREDTOTHEEARLYFILESYS-
TEMSTHATWEREAVAILABLEATTHATTIME"ECAUSEOFTHISCOMPLETELYNEWAPPROACH
ReiserFS offered supreme performance, especially in environments in which many
SMALLFILESHADTOBEHANDLED3OMEOTHERMINORISSUESWEREADDRESSEDASWELL
ANDTHATMADEITAVERYNICEFILESYSTEMFORDATAVOLUMES(OWEVERKERNELSUPPORT
for ReiserFS has never been great and that has lead to stability issues. In specific
environments in which many large files need to be handled, ReiserFS may still
be a good choice, but be aware that ReiserFS is not very stable and you will have
problems with it sooner or later.
sJFS*OURNALED&ILE3YSTEMWASDEVELOPEDBY)"-ASONEOFTHEFIRSTFILESYSTEMS
that offered journaling. The development of this file system has stopped, however,
and therefore I don’t recommend its use on new servers.
"ASEDon the preceding information, you should now be capable of creating a blue-
print for the disk layout that your server is going to use. Table 1-1 provides an overview
of what I’m going to install on my server in this chapter. The items in parentheses are
RECOMMENDEDSIZESWHENWORKINGFROMA6-WARETESTENVIRONMENTORANYOTHERTEST
environment in which available storage is limited.
CHAPTER 1
N
PERFORMING AN ADVANCED UBUNTU SERVER INSTALLATION
7
N
Note
Chapter 4 covers advanced file system management tasks. ReiserFS management is included as
well. Normally I wouldn’t recommend using ReiserFS anymore, but to make it easier for you to apply the con-
tents of Chapter 4, in the example setup, I’m setting up a ReiserFS file system as well.
Table 1-1. Blueprint of Server Disk Layout