Running A File-, Print-, Proxy-, DHCP-, AND Time-Server For Small/Medium Enterprises

This article shows how to run a file-, print-, HTTP proxy- DHCP-, and time server for small and medium enterprises (SME) on one single Debian Sarge system. It is very easy to set up, and management is done with an easy-to-use web interface called eBox so once the system is set up, you can forget about the command line. eBox was developed to administrate advanced services for corporate networks, and it was created for Debian Sarge.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

I assume you have already set up a basic Debian Sarge system. You can set up your system as described on the first two pages of this tutorial: The Perfect Setup – Debian Sarge (3.1).

I use 192.168.0.100 as the IP address and server1.example.com as the hostname of my Debian Sarge system in this tutorial. If your Debian Sarge system does not have a static IP address you should now change its network configuration so that it will have a static IP address in the future:

vi /etc/network/interfaces

# /etc/network/interfaces — configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card – this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

(If you use a different gateway than 192.168.0.1, change the gateway IP address in /etc/network/interfaces.)

Then restart your network:

/etc/init.d/networking restart

Edit /etc/resolv.conf and add some nameservers:

vi /etc/resolv.conf

search server
nameserver 145.253.2.75
nameserver 193.174.32.18
nameserver 194.25.0.60

Edit /etc/hosts and add your new IP address:

vi /etc/hosts

127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

2 Install eBox

There are Debian packages available for eBox. To install them, we must edit our /etc/apt/

vi /etc/apt/sources.list

Add the following lines to your existing sources.list:deb http://ebox-platform.com/debian/stable/ ebox/
deb http://ebox-platform.com/debian/stable/ extra/

Then update your package database:

apt-get update

Afterwards we can install eBox with all needed modules with one single command:

apt-get install ebox libebox ebox-network ebox-objects ebox-firewall ebox-logs ebox-samba ebox-dns-cache ebox-dhcp ebox-squid ebox-usersandgroups ebox-software ebox-ntp ebox-printers

You will be asked a few questions. Most of the time you can simply accept the default values:

Where should the PostgreSQL database be created? <-- /var/lib/postgres/data Should the data be purged as well as the package files? <-- No What locale should be used by the database backend? <-- en_US Choose European or US day/month order in dates. <-- European / US [depends on where you come from] DNS domain name: <-- example.com Name of your organization: <-- example.com Admin password: <-- somepassword Confirm password: <-- somepassword Allow LDAPv2 protocol? <-- No Apache-Perl needs to be reconfigured. <-- Ok Enable suExec? <-- No Which paper size should be the system default? <-- a4 On what network interfaces should the DHCP server listen? <-- [Leave it blank.] Please configure the DHCP server as soon as the installation finishes. <-- Ok The version 3 DHCP server is now non-authoritative by default <-- Ok Workgroup/Domain Name? <-- WORKGROUP Use password encryption? <-- Yes Modify smb.conf to use WINS settings from DHCP? <-- No How do you want to run Samba? <-- daemons Create samba password database, /var/lib/samba/passdb.tdb? <-- No LDAP server host address <-- 127.0.0.1 distinguished name of the search base <-- dc=example,dc=com LDAP version to use <-- 3 database requires login <-- No make configuration readable/writeable by owner only <-- No nsswitch.conf is not managed automatically <-- Ok Send daily reminders to users over quota <-- No Now the packages are getting installed. When you see this: Configuration file `/etc/dhcp3/dhclient.conf’
==> File on system created by you or by a script.
==> File also in package provided by package maintainer.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer’s version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : background this process to examine the situation
The default action is to keep your current version.
*** dhclient.conf (Y/I/N/O/D/Z) [default=N] ?

answer with N.

Please note: If you’re installing this using SSH, you will lose your SSH connection at this point:

Setting up ebox-firewall (0.7.1) …
EBox: restarting firewall:

This is nothing to worry, it happens because the eBox firewall closes port 22 by default. Despite this, the installation is successful, and you can open up port 22 again using the eBox web interface.

Logging In To eBox

Now that eBox is installed, open your browser and go to https://192.168.0.100. The login screen appears. Enter the default password ebox and log in:

After the login, you’ll see the eBox status page:

Configure The eBox Firewall

In the next step we want to open port 22 (SSH) again in the firewall. Go to Firewall -> Packet Filter -> Configure default rules:

Under Services, select ssh and Allow and click on Add:

In almost all cases when you change a setting, you will see the red Save changes rectangle in the upper right corner afterwards. Click on it:

After you have clicked on the red rectangle, another screen comes up telling you to save the configuration which is a little bit long winded. Anyway, click on Save:

Afterwards, you can access your system on port 22 (SSH) again.

Change Your eBox Password
Go to System -> General and change your eBox password:

Date And Time Settings
To adjust the system time, go to System -> Date/time and enable time synchronization with NTP servers. Click on Change:

Then enter some NTP servers, e.g. pool.ntp.org and time.nist.gov. Click on Change. Don’t forget to click on the red Save changes rectangle afterwards:

Create Groups
eBox allows you to create groups which can have different permissions. For example, one group could be allowed to use the printer, but not the file server, and vice versa for another group. In this article I create two example groups, one for the tech department and one for the sales department:

Create Users
eBox lets you also create users that can be put in the groups you created before, thus inheriting the group permissions, but you can also assign individual permissions to each user. In this example, I create two users: tim in the group techdpt and bob in the group salesdpt:

Time Server
Our eBox system can be a time server for our network, all we have to do is enable the NTP server under NTP server:

(Of course, you must tell the workstations in your network afterwards that they should use 192.168.0.100 as time server.)

Afterwards, you will be redirected to the eBox status page again:

Print Server

With eBox, you can also create a print server for your network. eBox supports USB, parallel, network, and Samba printers. In this example, I have connected a Brother HL-5050 laser printer to my eBox system with USB.

First, we must add the printer to our eBox configuration:

DHCP Server

If you use a hardware router for your network, chances are that you already have a DHCP server in your network as most hardware routers come with a DHCP server. If you don’t have a DHCP server in your network, you can run a DHCP server on your eBox system.

Go to DHCP and enable the DHCP server. Then enter a gateway and two nameservers (e.g. 213.191.92.84 and 213.191.74.12) and specify an IP address range (i.e., IP addresses that can be assigned dynamically to client computers in your network):

Afterwards all computers in your network that don’t have a static network configuration will connect to your new DHCP server and get their network configuration from it.

File Server

What I like most about eBox is the ease with which you can create file shares for your network. Just go to File sharing, enable the service, and under General Settings you specify the working mode (File server or Primary Domain Controller (PDC)) and a quota limit for the file share:

DNS Cache

Your eBox system can also be a DNS cache which can speed up web browsing in your network because DNS queries will be faster. All you have to do is enable the DNS cache under DNS Cache and tell the computers in your network to use 192.168.0.100 as primary nameserver (you can specify 192.168.0.100 as primary nameserver in your DHCP server settings, see chapter 11).

HTTP Proxy

You can use the eBox system as an HTTP proxy server for your network which can speed up web browsing because the proxy keeps visited pages in its cache. With the HTTP proxy server, you can also do filtering, e.g. for sex and violence. Just go to HTTP proxy -> General and enable the proxy:

Now you have to configure your browsers to use the eBox HTTP proxy.

Under Allowed domains, Banned domains, Extensions filter, and Policy you can define more fine-grained filter rules.

Status, Firewall

Now we have enabled all services we need, and on the Status page you should now see them listed as running:

In the firewall settings, you will see that all needed ports for our services have been opened up automatically so you don’t have to worry about the firewall blocking any of these services:

User Permissions

Now that all desired services are running, we can set the permissions for our users, i.e., we can specify which user can use our file share and our printer. In the following example, I allow the user tim to use our file share and the printer:

Group Permissions

As before for our users, you can now specify which group can use the printer, plus you can specify a file sharing directory for each group:

Test The File Share And The Printer

Now we can test our file share and the printer from a Windows workstation. Go to Start -> Run (Start -> Ausführen if it’s a German Windows) and type in

\\192.168.0.100

You will be prompted for a username and password, so if you are tim, type in tim and tim’s password:

If the login is correct, you will be granted access to your file share. You can now see your personal folder tim and the printer we created in eBox. You can also see the folder sales which is owned by the salesdpt group. Since tim is not an owner of that group, he cannot access the sales folder (unless he provides a correct username and password for it). Of course, he can access his own folder tim.

Network Settings

eBox allows you to create virtual interfaces (e.g. if you want to add some IP addresses to the network card). Under Network -> Interfaces -> Virtual Interfaces type in the name of the virtual interface (e.g. 1 – do not use 0, eBox will not create the virtual interface then, this seems to be a bug), an IP address (e.g. 192.168.0.101) and the netmask (e.g. 255.255.255.0):

Afterwards, you can control if eBox created the virtual interface. Log in to the shell and run

ifconfig

and you should see the virtual interface eth0:1 with the IP address 192.168.0.101.

Please note: Under Network -> Interfaces, do not enable External as you will lose access to your eBox system! The External checkbox enables NAT for the eBox system which we don’t need as the system is in the same network as our workstations.

Under Network -> DNS, you can specify which DNS servers your eBox system should use. These nameservers will be saved in /etc/resolv.conf.

Under Network -> Diagnosis, you can test your network connection and name resolution:

Configuration Backup

Under System -> Backup, you can back up your current eBox configuration, so if you lose your eBox configuration, you can restore it from the backup:

eBox Software Managment

Under Software management -> eBox components, you can see which eBox modules are currently installed on your Debian system. If you don’t need a module anymore, you can delete it:

Under Software management -> System updates, you can check for eBox updates:

Under Software management -> Configuration you can enable automatic software updates for the eBox components: