Small Business Server

From ArchWiki
Revision as of 17:17, 21 May 2011 by Locky37 (talk | contribs) (FreeRadius EAP-TLS)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Small Business Server#)

In this series of articles we will present a way to configure a Linux server to work in a mixed Windows/UNIX environment in a way that will scale well.

What not to do: Don't try to configure a system in a fastest way possible, migrations between configurations (for example: from flat files to LDAP, for both UNIX and Windows authentication) are not easy to do, are disruptive and in the end result make those 5 minutes of work you don't do now, hours later on.
Note: I'm suggesting here how to pick out and configure a Linux server for a small company, with a server that is built from scratch or updated with a new install, not all suggestions apply for every possible workloads, though they should be a good starting point in most cases


This series of articles will show best practices to configure a Windows/UNIX mixed domain in a extensible way. What to do, how to do it and what not to do (and why).

Our server will support:

  • Network firewall and NAT
  • DNS and DHCP for hosts
  • User authentication and management with LDAP
  • File sharing with Samba, NAT and FTP
  • Printing with CUPS (from UNIX) and Samba (from Windows)
  • VPN service



You will need at at least 2 computers:

  • An Archlinux domain controller (our Small Business Server)
  • A Windows workstation or domain member server
  • A Linux domain member workstation/server

While the workstations can be made up of hardware that will make the OS work, server machines need a little more thought put into early on to save a few headaches later.


It's best to use a server worthy hardware, but Linux will work well on commodity hardware too. Things good to have:

  1. At least two disks for RAID (for a server that's the single most important thing)
  2. ECC RAM (ECC only RAM, not ECC Registered, is supported by most middle- and high-end commodity main-boards and isn't much more expensive that normal RAM)
  3. hardware RAID isn't really necessary, Linux software raid
    • usually will give you better throughput (only very high amounts of Input Output operations Per Second (IOPS) are hard to achive, but if you care for IOPS, you need to look at enterprise hardware)
    • allow access to SMART data for HDDs
    • doesn't tie the array to a controller
    • is much more flexible that even the most expensive hardware RAID controllers
  4. relatively fast processor
  5. lots of RAM (4GB as of 2010 is absolute minimum for a new build)
  6. a gigabit ethernet NIC, plus a FastEthernet one if the server will work as a router too

Basic configuration

Some features (easy backups, migration and Windows Previous Versions on Samba shares) require LVM running on the server.

When you are installing a new OS, put it on LVM, at the very least. Even if you plan to use single partition for whole system, this way, later on, you'll be able to migrate to larger HDDs or RAID without even rebooting the system.

GRUB needs a physical partition (or a RAID1 volume) to install to, so the basic configuration needs to be something like this:

|/boot   |LVM PV  |

and like this for a 2+ drive setup:

  sda                      sdb                    
+--------+------------+ +--------+------------+
|/boot   |RAID volume | |/boot   |RAID volume |
+--------+------------+ +--------+------------+
            ^                       ^
            | RAID MD device        |
          | LVM PV                    |

File systems

Note on overall network architecture

Server Configuration

Network access and basic services





(dynamic DNS)


proxy server

FreeRadius EAP-TLS

Реализация 802.1x EAP-TLS с использованием FreeRADIUS.

Один из распространенных применение стороне клиента сертификатов PKI является аутентификация 802.1x сети с использованием EAP / TLS представить личность клиента к серверу. В отличие от многих других типов EAP, EAP / TLS не передавать пароль от просителя на сервер, который лучше сетевой безопасности.

Эта страница объясняет, как построить сервер FreeRADIUS (v1.0.4 был текущим на тот момент) и настроить его для использования в сети аутентификации 802.1x и EAP / TLS. Зависимости

Эта процедура должна работать на серверах под управлением Linux большинство дистрибутивов. Машина использовалась для тестирования был RedHat версии 9 установлены. Аутентификации 802.1x работали на клиентов Windows XP, Mac OS X и Linux.

Cisco и Аруба беспроводные точки доступа были использованы в сети.

Обратите внимание, что FreeRADIUS требует OpenSSL 0.9.7 или более поздней версии. Если базовая система нуждается в обновлении, проще всего сделать это в первую очередь. документации FreeRADIUS предполагает, что можно построить еще одну копию OpenSSL для FreeRADIUS когда обновление системы не представляется возможным. Мы не использовали эту технику.

rlm_eap_tls модуль был усовершенствован после версии 0.9.2, которые не работали с просителем в Windows XP. Версии, начиная с 1.0.2 из FreeRADIUS же успешно работать.

Устанавливаем pacman -S opensll и pacman -S freeradius

Переходим в каталог /etc/raddb/certs Для prodution редактируем (меняем параметры на настоящие), иначе будет пример с паролем на сертификаты whatever. ca.cnf ... [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = whatever output_password = whatever x509_extensions = v3_ca

[certificate_authority] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = commonName = "Example Certificate Authority" ... server.cnf ... [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = whatever output_password = whatever

[server] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = commonName = "Example Server Certificate" ...

You need to edit client.cnf only if you are using EAP-TLS. If not, then that file can be left as-is.

Once the ca.cnf and server.cnf files have been edited, re-create the CA and Server certificates as before in the EAP howto. This process will destroy any existing certificates, so you should make a backup of this directory before continuing. $ cd /etc/raddb/certs $ make

Depending on the version of FreeRADIUS, the output may be make: Nothing to be done for `all'. In that case, you will have to remove some files manually, and then re-create the certificates: $ rm -f *csr *key $ make

Otherwise, you should see OpenSSL creating the keys and certificates, as shown below: openssl req -new -x509 -keyout ca.key -out ca.pem -config ./ca.cnf Generating a 2048 bit RSA private key ................................................... etc.

Генерация сертификатов для клиентов

make client.pem

Ресурсы которые использовались для настройки сервера аутентификации через Точку доступа.




mail server


web server

alternatives to group ware



Client backup

Windows workstation

joining samba domain

Linux workstation

LDAP authentication