-- Main.dlgawley - 16 Sep 2008

Hardy client setup built from Gutsy notes and https://help.ubuntu.com/community/ActiveDirectoryHowto

Windows 2003 Active Directory Management of Ubuntu Hardy Heron (8.04.1)

Introduction

The primary goal of this document is to show how Unix accounts on Ubuntu Linux box can be a client of a Microsoft's active directory domain.

Active Directory from Microsoft is their implementation of the LDAP protocol that uses some open protocols, like Kerberos, LDAP and SSL. the default

Requisite software

You will need to ensure the following packages are installed:

Install the samba, acl, and attr packages if you wish to enable extended attributes which enable a greater level of control for file Access Control Lists.

  • apt-get install samba acl attr ntp

There are several packages that provide Kerberos services and utilities:

  • krb5-user: Basic programs to authenticate using MIT Kerberos.
  • libpam-krb5: PAM module for MIT Kerberos.
  • libkadm55: MIT Kerberos administration runtime libraries.

So we need to

  • apt-get install krb5-user libpam-krb5 libkadm55

Preconfiguration checks

Check network connectivity to Kerberos Distribution Centres (kdc) hosts.

For example in CSCF's CS-GENERAL domain (the CS.UWATERLOO.CA Kerberos realm)
  • ping intacta.cs.uwaterloo.ca
  • ping serverus.cs.uwaterloo.ca
  • ping viridis.cs.uwaterloo.ca

Check Time settings.

  • ntptrace (figure out or refer admin to how to get ntp working properly.) if ntptrace isn't using non local host time server.

Setting the /etc/krb5.conf file

  • Strict verification of host identity is disabled due to UW's unorthodox DNS domain space.
    • verify_ap_req_nofail = false in [libdefaults]

#
#pragma ident   "@(#)krb5.conf"
#  Setup for CSCF, DRCSCS, University of Waterloo
#  Kerberos Realms
#  Change which default_realm is not commented out if you
#  do NOT want to use realm "CS.UWATERLOO.CA" 

[libdefaults]
 default_realm = CS.UWATERLOO.CA
#default_realm = STUDENT.CS.UWATERLOO.CA
#default_realm = CSCF.UWATERLOO.CA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
# default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
 verify_ap_req_nofail = false

[realms]
 CSCF.UWATERLOO.CA = {
   kdc = elisa.cscf.uwaterloo.ca:88
   kdc = aeshena.cscf.uwaterloo.ca:88
   kdc = glaciais.cscf.uwaterloo.ca:88
   admin_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
 }

 CS.UWATERLOO.CA = {
   kdc = intacta.cs.uwaterloo.ca:88
   kdc = serverus.cs.uwaterloo.ca:88
   kdc = viridis.cs.uwaterloo.ca:88
   admin_server = intacta.cs.uwaterloo.ca:464
   kpasswd_server = intacta.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

 STUDENT.CS.UWATERLOO.CA = {
   kdc = eponina.student.cs.uwaterloo.ca:88
   kdc = candenis.student.cs.uwaterloo.ca:88
   kdc = cyanea.student.cs.uwaterloo.ca:88   
   admin_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

[domain_realm]
 .cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 .cs.uwaterloo.ca = CS.UWATERLOO.CA
 cs.uwaterloo.ca = CS.UWATERLOO.CA
 .student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
 student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA

[kdc]
 profile = /etc/krb5/kdc.conf

[logging]
        default = FILE:/var/log/krb5/kdc.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
         debug = true
         ticket_lifetime = 36000
         renew_lifetime = 36000
         forwardable = true
         krb4_convert = false
        }
        kinit = {
                renewable = true
                forwardable= true
        }
Topic revision: r3 - 2013-01-29 - DrewPilcher
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.


Edit

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2014 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback