Warning: Acronym overload ahead…

Given that the virtual machines (VM), in Xen parlance these are known as DomU, are not going to change I thought it easier to try and migrate the hosts over one by one.

They are all running Debian, though not all the same version nor the same architecture (i386/amd64). Some are running Lenny rather than Squeeze and I don’t want to force myself to upgrade just yet.

The plan of action. This is a plan, not exact details. I’ll probably add them in blow

• Create a logical volume (LV) on the host with LVM to contain all of the VM disk space.
• Create a “test” VM. This is required as I’m going to create an LVM volume group (VG) within the LV I just created, and I seem unable to do this on the host. I could be wrong about that
• Add the VM LV as a secondary disk to the “test” VM & start the “test” VM
• On the VM disk create two partitions. One 500Mb (for /boot) and one containing the rest for LVM.
• Create LV paritions for / /var /usr & /home as neccessary. Mount in the usual file structure
• Stop services on the source machine (except SSH obviously) and rsync files over SSH
• Modify files as neccessary (such as /etc/fstab) to accomodate changes
• Chroot to the mount point and install LVM2 if not installed.
• Shut down “test” VM
• Create VM for the copied machine and include the KVM host’s kernel & initrd. This will allow it to boot as Xen PVMs do not have a kernel or Grub
• Start the KVM, all should boot okay if you updated. This will fail if LVM2 package is not installed
• Install a kernel and Grub. Shut down the VM
• Remove the KVM hosts kernel & initrd and start the VM It should boot Grub in the VM and all should be well

I expect to add a more detailed description on this later.

It seems quite good so far, but not without some minor issues.

Boot order

I experienced a problem between the cgroups and libvirt-bin. By default it seems that cgroups (/etc/init.d/cgred) starts before libvirt-bin and this stopped my virtual machines from starting up. It gave the following errors trying to start the “test1″ virtual machine (VM).

warning : qemudParsePCIDeviceStrs:1422 : Unexpected exit status '1', qemu probably failed
error : qemuSetupCgroup:3416 : Unable to create cgroup for test1: No such file or directory
error : qemuRemoveCgroup:3501 : internal error Unable to find cgroup for test1#012
warning : qemudShutdownVMDaemon:4067 : Failed to remove cgroup for test1

Not being too knowledgeable with the new dependency based boot system it took me a while to work out how to get it to change the order but eventually I edited /etc/init.d/libvirt.bin and changed the line

# Required-Start:    $network $remote_fs $syslog

to

# Required-Start:    $network $remote_fs $syslog cgred

Then you need to apply this change with the following command:

insserv libvirt-bin

This makes the dependency make sure it starts after cgred. Whether this is the “official” way I don’t know, but this now works correctly for me.

Starting VM at boot

By default new virtual machines do not start with the computer but this can be enabled:

virsh autostart <vmname>

as well as disabled

virsh autostart <vmname> --disable

Shutting down VMs on reboot/shutdown

As I only have on server I will be wanting to (at least try to) shut down virtual machines when I shutdown or reboot rather than killing them which seems to happen by default. An entry on Vivek’s blog has a script which can do this. It has been noted in the comments that this does not get called with the new Debian dependency boot scripts.

I have, for now hacked my libvirt-bin init.d script, amendnig the “stop” section to call this script just before the libvirt daemon is shutdown.

Not the most elegant, but works for now. I’ll have to try and tidy that up.

I use Debian Squeeze on our Linux servers. I have been trying to get them to authenticate off of our Active Directory/Windows Server 2008. Previously we used OpenLDAP and this worked well, but with AD I’d rather have one authentication system. One password rather than two.

My experience with Winbind has not been favourable. Despite documentation and plenty of blogs with well written examples of how to do it I could not get it to work for me. Most of what is written is from there.

In this blog I will use the following settings on my network which I will use in my examples. You will wish to change them to reflect your own settings:

server1.int.inutility.net – 192.168.188.10 – Windows Active Directory & WINS server
server2.int.inutility.net -  192.168.188.11 – Windows Active Directory server
linux.int.inutility.net – 192.168.188.20 – Debian Linux box to authenticate against AD
INUTILITY – Windows Domain
INT.INUTILITY.NET – Kerberos/AD Realm

Preparation

Active Directory

You can edit this using the “Active Directory Users & Computers” program on your Windows server, finding a user (or group) and going to the “UNIX Attributes” tab. If you do not have this tab then you are missing the “Identify Management for UNIX” role, and you probably want to investigate that before following this.

DNS

If you are just using Windows DNS and Windows DHCP then you are probably already set for this and can probably skip this section.

You need to make sure your domain name is correct.  If you use a mixture of Windows & Linux services (for DHCP & DNS) then you need to make sure your /etc/resolv.conf has the correct “domain” setting to match the DNS of your Windows servers. If not it is possible you may experience a problem later. This may be set manually or automatically from your DHCP server

Secondly you need to make sure your Windows DNS servers are configured. My /etc/resolv.conf is

1
2
3
4

domain int.inutility.net
search int.inutility.net
nameserver 192.168.188.10
nameserver 192.168.188.11

NTP

It’s good practice to have time syncronised up. My Windows servers both provide NTP service.

apt-get install ntp

Edit the /etc/ntp.conf file, commenting out the existing debian servers and adding in your servers

Line 21

21
22
23
24
25
26
27

#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst
 
server server1.int.inutility.net iburst
server server2.int.inutility.net iburst

You will then need to restart the NTP daemon:

/etc/init.d/ntpd restart

This may take some time to syncronise your Debian server’s clock with that of the Windows Servers’. Check your syslog. ntpd -q will report information on your time servers and syncronisation.

Installation

LDAP Authentication

This allows you to authenticate your users against the Active Directory using LDAP. It allows you to SSH into your server as your AD users and is required to access your server using Samba.

apt-get install libnss-ldapd libpam-ldapd nslcd unscd

This is not to be confused to libpam-ldap and libnss-ldap (no d at the end) which are older methods of LDAP authentication that I have not satisfactorily got working with Active Directory.

It will ask you a few questions while the packages install. For LDAP server URI I entered both my AD servers:

ldap://server1.int.inutility.net/ ldap://server2.int.inutility.net/

You can leave it at one server, or add as many as you want separated by spaces.

You will be asked for your LDAP server search base. It will guess this based on your DNS domain, but sometimes it gets the ending wrong (espcially with country codes). I entered:

dc=in,dc=inutility,dc=net

You will then need to select the Name Services to use with LDAP. Select “group“, “passwd” and “shadow“. It will then finish installation, but there is still a bit to be configured.

It will automatically edit your PAM files (in /etc/pam.d) and your /etc/nsswitch.conf with correct entries so you do not have to unless your set up is a bit unusual. For historical reasons our UIDs start at 500 so I edited the /etc/pam.d/common-* files so the “minimum_uid” entry was 500, not the default 1000.

I use TLS encryption to my servers, using a certificate we have purchased. It requires intermediate certificates which it terms a bundle. You may not require the “tls_cacertfile” entry, but you may require the “ca-certificates” Debian package installed. Using the “tls_reqcert demand” entry makes sure that if the certificate is not verified the connection will not proceed.

25
26
27
28

# SSL options
ssl starttls
tls_reqcert demand
tls_cacertfile /etc/ssl/certs/bundle.crt

You also require some entries in this file so it knows where to pull all the user information from:

36
37
38
39
40
41
42
43
44
45
46
47

# Mappings for Active Directory
pagesize 1000
referrals off
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    passwd uid              sAMAccountName
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
filter group (&(objectClass=group)(gidNumber=*))
map    group  uniqueMember     member

After restarting nslcd you should then be able to check users & groups are listed using the getent tool:

/etc/init.d/nslcd restart
Restarting LDAP connection daemon: nslcd.
getent passwd al
al:*:1000:100:Al:/home/al:/bin/bash

You should now be able to SSH into your machine as your Active Directory users, though they may not have home directories (see also the section “Automatic creation of user’s home directory” towards the bottom of the page).

Kerberos

Install the Kerberos packages:

apt-get install krb5-config krb5-user

Then edit /etc/krb5.conf to include entries for your realm:

1
2

[libdefaults]
 default_realm = INT.INUTILITY.NET

and

39
40
41
42
43
44
45

[realms]
        INT.INUTILITY.NET= {
                kdc = 192.168.188.10:88
                admin_server = 192.168.188.10
                default_domain = int.inutility.net
        }
        ATHENA.MIT.EDU = {

and

122
123
124
125

[domain_realm]
        .int.inutility.net = INT.INUTILITY.NET
        int.inutility.net = INT.INUTILITY.NET
        .mit.edu = ATHENA.MIT.EDU

Samba

Firstly you’ll need to install the samba packages:

apt-get install samba samba-common samba-common-bin

I was asked only for my “Workgroup/Domain Name” which I entered in as “INUTILITY” during installation.

Then you need to make some edits to your /etc/samba/smb.conf.

Add the Kerberos realm:

37
38
39

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = IFS-LON
   realm = LONDON.IFS.ORG.UK

Add in WINS server:

48
49
50

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
   wins server = 192.168.188.10

To use Active Directory security:

99
100
101
102
103

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = ads

To configure SAMBA not to be the master browser for the domain.

210
211
212
213
214
215

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
   domain master = no
   local master = no
   preferred master = no

Restart the samba services to load these settings.

/etc/init.d/samba restart

Joining the domain

You can not joing the domain with the following command (or another administrator account can be used)

net ads join -U Administrator

This suceeds, but reports:

kerberos_kinit_password LINUX$@INT.INUTILITY.NET failed: Client not found in Kerberos database

This is something I’ve not been able to trace down yet, but everything works as expected. I have been advised that this may in fact be down to our incorrect reverse DNS.

You should now be able to access the machine using \\LINUX as per a normal Windows server.

Other useful things

Automatic creation of user’s home directory

If you edit /etc/pam.d/common-session you can add an entry to automatically create a user’s home directory upon login:

28

session     required      pam_mkhomedir.so skel=/etc/skel umask=0022 silent

This saves you having to manually copy the /etc/skel files for any users who have not logged into the system before.

Leaving the AD Domain

This can be done using the command below and removes your computer’s entry from the Active Directory:

net ads leave -U Administrator