Zentyal Desktop for Ubuntu 10.04 and 10.10

Warning: please note that if you don't follow this how-to step by step or if something goes wrong you can lock yourself out. So please, use a virtual machine or a spare machine to try it

Introduction

zentyal-desktop is a Ubuntu package intended to be installed on the desktop clients (workstations) of a network managed by Zentyal Server.

It provides three main features:

• Authentication against Zentyal LDAP: The user database is stored only on the Zentyal server and if you have an account on it you can login from any machine on the network. This works exactly as the PDC feature for Windows clients, but in this case with Ubuntu clients.
• Auto-configuration of desktop clients for the services provided by Zentyal (mail, samba, Jabber, VoIP, ...): The first time the user logs in a machine it creates a home directory with the proper preconfigured settings.
• Roaming profiles: The data in the home directory is synchronized with the server so you can work with your files on any machine in the network, keeping always a local copy of the data on them. This feature is currently available only for Ubuntu 10.04.

Configured Applications

Here is a list of the applications included with Ubuntu Desktop that are automatically configured by zentyal-desktop:

• Evolution (Mail service): The mail account of the user is read from LDAP and added.
• Nautilus (File sharing): Links to the samba user share and all group shares for the user are added on the desktop.
• Ekiga (VoIP): The asterisk account for the user is added. A workaround is needed to ask the user for the password before start Ekiga the first time because it can't do it if it isn't specified in the configuration.
• Pidgin (Jabber service): The jabber account of the user (if it has one) is added. It also adds a conference to its buddy list for each group that the user belongs to.
• Firefox (Zarafa & User corner): Links to these two services are added to the bookmarks toolbar. Currently it only works if the user corner port is the default one (8888).

Required Scenario

• Zentyal Server 2.0.
• At least one client machine with either Ubuntu 10.04 (Lucid) or 10.10 (Maverick) installed.

Changes on Server Side to Make it Work

General Changes

• Make sure that you have the Users and Groups module installed, if not you can install it by sudo apt-get install ebox-usersandgorups or using the Software Management menu on the Zentyal interface.
• If you have the Firewall module enabled, go to Firewall --> Packet Filter --> Filtering rules from internal networks to Zentyal and change the decision for ldap service from DENY to ACCEPT.
• Set a valid shell like 'bash' in "Users and Groups -> LDAP Settings"
• The above change will only affect the users we create from now on.
• Enable Users and Groups Module and click on Save Changes.
• Create a user from the Users/Add? User menu on the Zentyal interface.

Roaming Profiles

If you want to enable roaming profiles for the clients, you have to do the following on Zentyal Server:

• Install the unison package by running sudo apt-get install unison on a shell.
• Go to "Users and Groups -> LDAP Settings" on the Zentyal interface, check "Enable PAM" and save changes.
• Warning: this will allow users to have SSH access to Zentyal Server, if you want to avoid that, do the following:
  • sudo apt-get install scponly
  • Change 'bash' to 'scponly' in "Users and Groups -> LDAP Settings"

Jabber Service

• Make sure you have the SSL support option on the Zentyal Jabber configuration set to Allow SSL or Force SSL. That's because pidgin is configured by default to use SSL.
• Check the option Enable MUC (Multi User Chat) if you want to use conferences for the groups on your system.
• The Domain name must be set to the same value as your LDAP Base DN. You can check it at "Users and Groups -> LDAP Settings". For example, if your Base DN is "dc=example,dc=com" your Jabber Domain has to be "example.com". By default both LDAP Base DN and Jabber Domain has the same value (the hostname of your machine). So, if you haven't changed them, you don't have to do anything.

• The client needs also to be capable of resolve the Domain name to the Zentyal Server IP address. This won't be a problem if your clients get the DNS configuration from the Zentyal DHCP Server and you have added that domain.
• The users that you create must have enabled the Jabber Account section in the Users/Edit? User menu of Zentyal. You can see the image below.

Mail Service

• You need to have a virtual mail domain created (probably you already entered it in the initial configuration wizard).
• The users should have a mail account created (as shown in the last image of the Jabber service section).
• You can enable the mail retrieval services you want in the Mail/General? menu on eBox. But they have to be according to the /etc/zentyal-desktop/zentyal-desktop.conf file.
• The default values on that file are to use IMAP instead of POP and use SSL when available.

Client Setup

Installation

• A zentyal-desktop package is provided. Note that this is not yet a stable release, so you use it at your own risk. If you don't know what you are doing and you install it in your production machine it might lock you out.
• Add one of the following lines to your /etc/apt/sources.list file:
  • If you are using Ubuntu 10.04: deb  http://ppa.launchpad.net/zentyal/desktop/ubuntu lucid main
  • gpg --keyserver keyserver.ubuntu.com --recv 0E83F6EB10E239FF
  • gpg --export --armor 0E83F6EB10E239FF | sudo apt-key add -
  • If you are using Ubuntu 10.10: deb  http://ppa.launchpad.net/zentyal/desktop/ubuntu maverick main
• apt-get update && apt-get install zentyal-desktop
• The installation process will ask for the address of the Zentyal Server. You can ignore all the previous questions about LDAP.
• On the next and last question you have to answer "Yes" only if you are using a Zentyal server that acts as a slave on a master/slave architecture.
• Probably you will need to reboot the desktop machine after the installation to avoid some issues.
• Once the package is installed, you can change this address executing dpkg-reconfigure zentyal-desktop.

Roaming profiles

• If you want to enable roaming profiles you have to edit /etc/zentyal-desktop/zentyal-desktop.conf and set roaming-profiles = yes.
• In the first login of each user, they will need to ask yes to add the server to the list of SSH known hosts and enter their password in order to allow the copy of the public to the server.
• Once that is done, further authentication while syncing data will be done using the private OpenSSH key so there will be no need of enter the password each time.
• The public/private key pair are also automatically generated in the first login.

Usage

• Login with any user created in the Zentyal Server after the setup and check that the desktop programs are configured for the Zentyal Services.

• After entering the username and a password you'll see a warning about recently created directories if this is the first time the user logs in.
• If you want to force a reconfiguration you can do it executing rm ~/.zentyal-desktop-configured and then login again.

Here is an example desktop after login and running pidgin. Pidgin asks directly for the password without needing to configure the account. You can also see a link on the desktop to the user's personal Samba Share.

Another example of the same user belonging to two new groups with Samba Share enabled and running firefox with the Zentyal user corner login screen.

How it Works

• It uses pam_ldap.so PAM module (libpam-ldap package) for the remote authentication.
• The configuration of the user home directory is done by a script located at /usr/share/zentyal-desktop/zentyal-setup-user that is ran after login has succeeded.
• There is a /usr/share/zentyal-desktop/skel directory that contains templates for some of the configured applications.
• The zentyal-setup-user script gets different needed values from LDAP (connecting to the Zentyal server) and replaces them on the templates.
• It creates a .zentyal-desktop-configured file on the user home to avoid repeating the process after each login.
• zentyal-setup-user is ran (using pam_exec.so) as root user, so it adds some actions to the ~/.profile in order to be ran as the login user (some of them are other auxiliary scripts located in /usr/share/zentyal-desktop).