ADAddUbuntuScripts < CF

CF Web>Infrastructure>CscfGradImageNotes>PostOnx2amd001-v2->ADAddUbuntuScripts (2024-10-30, MariHassanzada) (raw view)
---+ Note

%TABLE{tableborder="0" cellpadding="10" databg="#EDDBCB" }%
|\
 These scripts are fine for setting up individual Ubuntu workstations, \
 but, because they install =ntp= packages \
 they should not currently (Apr 25, 2013) be used to set up LXC containers. \
\
<br> -- Main.AdrianPepper - 2013-04-25 \
|

---+ AD Script for Ubuntu Post-image Installation (THIS PAGE NEEDS UPDATING)
While imaged PCs typically have some of the fundamental pieces for AD authentication, a fresh installation of Ubuntu may not.  The scripts described below take care of many of the steps required for properly configuring an Ubuntu machine to authenticate using our CS Active Directory.

Mike wrote a cover script that does even more steps, particularly needed for Research machines (not CS core machines).  So, if possible, use Mike's script.
If Mike's script is unavailable use Clayton's AD Ubuntu script documented in this Twiki page. Run it after the Image installation.</br>
Throughout this page we are using scspc400 as an example machine.  Replace scspc400 with the machine you are setting up.

%TOC%

---++ This page is under construction (Information presented here is not necessarily correct)
Written as of September 2012 and Ubuntu 12.04.  Things may change ...

---++ Background Information
https://www.cs.uwaterloo.ca/twiki/view/CF/LinuxActiveDirectory
---++ Prior To Running the Script
These steps may not be necessary.  They are put here for completeness.  Some of this is included in the image.


---+++ Set the Network Manager
Update Network Manager configuration for eth1, IPv4 to use "Automatic (DHCP) addresses only", DNS servers 172.19.32.5, search domains cs.uwaterloo.ca and uwaterloo.ca.</br>
Edit /etc/hostname and /etc/hosts to set scspcxxx to the machine name.</br>
cscf-adm@scspcxxx:~$ sudo reboot

---+++ Get root keys from cscf to the machine
   * If you do not have the original SSH keys for the host please read the section below called  [What to do if SSH key changes on the HOST ]

If it is an existing machine that has been re-imaged save the SSH and SSL data.
<pre>
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub

/etc/ssl/private
</pre>

---++++ Need root access via SSH from cscf.cs
Test root access.
<pre>
cscf.cs# ssh scspc400
The authenticity of host 'scspc400 (129.97.170.65)' can't be established.
RSA key fingerprint is 17:9c:eb:dc:f7:58:c7:f4:4b:9a:5e:fc:31:31:ac:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'scspc400,129.97.170.65' (RSA) to the list of known hosts.
root@scspc400's password:
Permission denied, please try again.
</pre>

Since it can't SSH get the key to the machine.
<pre>
cscf.cs# grep root /etc/passwd
root:x:0:1:Super-User:/:/sbin/sh
cscf.cs# cd /.ssh
cscf.cs# scp id_dsa.pub cscf-adm@scspc400:
cscf-adm@scspc400's password:
id_dsa.pub                                                                               100%  602     0.6KB/s   00:00
</pre>

Put the root key in the root account on the machine.
<pre>
cscf.cs# ssh cscf-adm@scspc400
cscf-adm@scspc400's password:
...
/usr/bin/xauth:  creating new authority file /home/cscf-adm/.Xauthority
cscf-adm@scspc400:~$ sudo -s
[sudo] password for cscf-adm:
root@scspc400:~# grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
root@scspc400:~# cd /root
root@scspc400:/root# cd .ssh
bash: cd: .ssh: No such file or directory
root@scspc400:/root# mkdir .ssh
root@scspc400:/root# cd .ssh
root@scspc400:/root/.ssh# cat /home/cscf-adm/id_dsa.pub >> authorized_keys
root@scspc400:/root/.ssh# rm /home/cscf-adm/id_dsa.pub
</pre>

Test the root login from cscf.cs.  There should be no prompt for a password.
<pre>
cscf.cs# ssh scspc400
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
Linux scspc400.cs.uwaterloo.ca 2.6.35-22-generic #35-Ubuntu SMP Sat Oct 16 20:45:36 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.10

Welcome to Ubuntu!
...
/usr/bin/xauth:  creating new authority file /root/.Xauthority
root@scspc400:~#
</pre>

---++ Mike Gore's join-ad wrapper script
*We ASSUME you have, at minimum, the cscf root public key added to the /root/.ssh/authorized_keys* on the target machine*
   * Location: *linux.cscf.uwaterloo.ca:/home/magore/bin/join-ad*
   * *This script sets required environment variables for running Clayton's script*
   * *Does a remote apt-get update before calling Clayton's script*
   * Attempts to remove old host keys for the target host by name (all names host, host.cs, host.cs.uwaterloo.ca) and IP on linux.cscf
   * Run script */home/magore/bin/patch14.sh*
      * Optionally renames the target host if it is *scspcxxx*
      * Removed APT repositories that are no longer valid
      * Patches pam environment PATH 
      * Adds *%staff_cscf% to sudoers
      * Updates GRUB options
      * Installs *boot-repair*
      * removes buggy *deja-dup* (that randomly consumes all of the CPU and disk)
      * *Optionally it also adds the user to the /etc/sudoers if they are not there already there*

---+++ Mike Gore's join-ad wrapper script Usage
   1) *logon to linux.cscf*
   2) *sudo bash*
   3) *cd */home/magore/bin*
   3a) *If the host has been reimaged please read seaction called [What to do if SSH key changes on the HOST ]
   4) *./join-ad scspcxxx.cs [userid] [y]*
      * calls *patch14.sh" - see previous section
      * *scspcxxx.cs* is replaced by your hostname
         * The *uwaterloo.ca* part is not required
         * If the host is in the *.cs* domain you must include the *.cs*
      * */home/magore/bin/sudo-host scspcxxx.cs [userid] [-y]* is called which causes:
         * *Always adds %staff_cscf to the sudoers file*
            * But only if they are not already there
         * Optionally, if supplied, the *userid* is added to the sudoers file and the userd is added to all admin groups
            * But only if they are not already there
         * Optionally, if supplied, [-y] copies *updates* to the remote host and run it.
            * See next section for details
---++++ What to do if SSH key changes on the HOST
   * Note: *join-ad* script now does this step automatically
   * *Login to ubuntu1404-202:*
   * *sudo bash*
   * *ssh-keygen -f "/root/.ssh/known_hosts" -R scspcxxx.cs.uwaterloo.ca*
   * *ssh-keygen -f "/root/.ssh/known_hosts" -R scspcxxx.cs*
   * *ssh-keygen -f "/root/.ssh/known_hosts" -R scspcxxx*
   * *ssh-keygen -f "/root/.ssh/known_hosts" -R <ip address of scspcxxx*
---++++ Mike Gore's updates script
*This is done automatically with the [-y] option to join-ad - see previous sections* <br>
*You need the 2013 cscf-adm password to run this on the remote host*<br>
   * Create all of the AD directory dependent symlinks /u[0-9] -> /home and xhbin
   * Add all of the repositories used in a standard grad desktop image
   * On 14.04 updates the path in /etc/profile to work around a bug in 14.04
   * Setup unattended upgrades
   * Remove *rm -f /etc/udev/rules.d/70-persistent-net.rules* if it exists 
      * This is to fix up machines that were imaged - to restore the default out of box network device name mapping
   * update dhclient.conf *OPTION="option domain-search code 119 = string;"*
   * Disable guest account
   * Permit manually typed login userid
   * Setup NTP using CORE configuration file
   * Setup SNMP using CORE configuration file
   * Set default printer to lj_csgrad
   * Verify access to uwcs- metapackages

---+++ test_ldap diagnostic 
   * You can run this on a work station to verify that all of the CS AD servers can be accessed
      * Runs a query like this: *ldapsearch -h vulgatum.cs.uwaterloo.ca  -b dc=uwaterloo,dc=ca -LLL -z 26 -x "cn=magore"*
      * *If any of these timeout/hang you have a problem*
---+++ install_matlab_maple
   * *./install_matlab_maple* - Install matlab and maple 
      *You must copy common_function and install_matlab_maple from magore@linux.cscf.uwaterloo.ca:/home/magore/bin to the remote host and execute it their
   * *You need the 2013 cscf-adm password to run this on the remote host*

---++ Run Clayton's Script
<pre>
cscf.cs# cd /u1/ctucker/bin/host_setup
cscf.cs# pwd
/u1/ctucker/bin/host_setup

cscf.cs# ./linux_into_ad_v4.sh scspc400.cs.uwaterloo.ca CS-GENERAL -w
</pre>

The script will prompt for input at various stages.  The script will typically run in 5 to 10 minutes.

<pre>
CS-GENERAL/ldap.conf
CS-GENERAL/krb5.conf
CS-GENERAL/common-auth
CS-GENERAL/common-account
CS-GENERAL/common-session
CS-GENERAL/common-password
TRUE
FALSE
viridis.cs.uwaterloo.ca
scspc400.cs.uwaterloo.ca
scspc400
CS.UWATERLOO.CA
host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
viridis.cs.uwaterloo.ca
OU=Linux Hosts,OU=CS,DC=cs,DC=uwaterloo,DC=ca
CN=scspc400_host,OU=Linux Hosts,OU=CS,DC=cs,DC=uwaterloo,DC=ca
TRUE
/tmp/active-directory-computer-creation_ldap_update_7765_new_computer.ldif
SASL/EXTERNAL authentication started
SASL username: CN=cscf_accounts_client,OU=Special Accounts,OU=CSCF,DC=sysadmins,DC=cscf,DC=uwaterloo,DC=ca
SASL SSF: 0
adding new entry "CN=scspc400_host,OU=Linux Hosts,OU=CS,DC=cs,DC=uwaterloo,DC=ca"

Waiting 10 seconds for domain controllers in realm to synchronize
1
The authenticity of host 'scspc400.cs.uwaterloo.ca (129.97.170.65)' can't be established.
RSA key fingerprint is 17:9c:eb:dc:f7:58:c7:f4:4b:9a:5e:fc:31:31:ac:6d.
Are you sure you want to continue connecting (yes/no)?                 <yes>
...

Default Kerberos version 5 realm: ENTER                   #may occur later in the install

Should debconf manage LDAP configuration? yes ENTER       #this part may not always prompt

LDAP server Uniform Resource Identifier: ENTER


Please enter the distinguished name of the LDAP search base. Many sites use the
components of their domain names for this purpose. For example, the domain
"example.net" would use "dc=example,dc=net" as the distinguished name of the
search base.

Distinguished name of the search base: ENTER


Please enter which version of the LDAP protocol should be used by ldapns. It is
usually a good idea to set this to the highest available version.

  1. 3  2. 2

LDAP version to use: 1 ENTER


This option will allow you to make password utilities that use pam to behave
like you would be changing local passwords.

The password will be stored in a separate file which will be made readable to
root only.

If you are using NFS mounted /etc or any other custom setup, you should disable
this.

Make local root Database admin: y  ENTER



Choose this option if you are required to login to the database to retrieve
entries.

Note: Under a normal setup, this is not needed.

Does the LDAP database require login? n  ENTER


This account will be used when root changes a password.

Note: This account has to be a privileged account.

LDAP account for root: ENTER


Please enter the password to use when ldap-auth-config tries to login to the
LDAP directory using the LDAP account for root.

The password will be stored in a separate file /etc/ldap.secret which will be
made readable to root only.

Entering an empty password will re-use the old password.

LDAP root account password: ENTER

One or more of the files /etc/pam.d/common-{auth,account,password,session} have 
been locally modified.  Please indicate whether these local changes should be 
overridden using the system-provided configuration.  If you decline this option,
you will need to manage your system's authentication configuration by hand.

Override local changes to /etc/pam.d/common-*? y  ENTER       #this part may not always prompt


Setting up libpam-ldap (184-8.4ubuntu1) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
Setting up libnss-ldap (264-2ubuntu2) ...
update-rc.d: warning: libnss-ldap start runlevel arguments (2 3 4 5) do not match LSB Default-Start values (none)
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:
  libpam-krb5
0 upgraded, 1 newly installed, 0 to remove and 71 not upgraded.
Need to get 73.8kB of archives.
After this operation, 193kB of additional disk space will be used.
Get:1 http://mirror.cs.uwaterloo.ca/ubuntu/ maverick/main libpam-krb5 amd64 4.2-1 [73.8kB]
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
dpkg-preconfigure: unable to re-open stdin:
Fetched 73.8kB in 0s (2,755kB/s)
Selecting previously deselected package libpam-krb5.
(Reading database ... 311974 files and directories currently installed.)
Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ...
Processing triggers for man-db ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
Setting up libpam-krb5 (4.2-1) ...
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
Reading package lists...
Building dependency tree...
Reading state information...
The following NEW packages will be installed:

  ntp
0 upgraded, 1 newly installed, 0 to remove and 71 not upgraded.
Need to get 556kB of archives.
After this operation, 1,442kB of additional disk space will be used.
Get:1 http://mirror.cs.uwaterloo.ca/ubuntu/ maverick-updates/main ntp amd64 1:4.2.4p8+dfsg-1ubuntu6.1 [556kB]
debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
dpkg-preconfigure: unable to re-open stdin:
Fetched 556kB in 0s (9,770kB/s)
Selecting previously deselected package ntp.
(Reading database ... 311989 files and directories currently installed.)
Unpacking ntp (from .../ntp_1%3a4.2.4p8+dfsg-1ubuntu6.1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Default Kerberos version 5 realm:  ENTER


Setting up libpam-krb5 (4.5-3) ...

debconf: unable to initialize frontend: Dialog
debconf: (TERM is not set, so the dialog frontend is not usable.)
debconf: falling back to frontend: Readline
debconf: unable to initialize frontend: Readline
debconf: (This frontend requires a controlling tty.)
debconf: falling back to frontend: Teletype
Setting up ntp (1:4.2.4p8+dfsg-1ubuntu6.1) ...

Configuration file `/etc/ntp.conf'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** ntp.conf (Y/I/N/O/D/Z) [default=N] ?  ENTER

 * Starting NTP server ntpd
   ...done.
Reading package lists...
Building dependency tree...
Reading state information...
nscd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 71 not upgraded.
 * Stopping NTP server ntpd
   ...done.
 2 Sep 14:13:12 ntpdate[7168]: step time server 129.97.152.10 offset -1.334914 sec
 * Starting NTP server ntpd
   ...done.
 * Stopping Name Service Cache Daemon nscd
   ...done.
 * Starting Name Service Cache Daemon nscd
   ...done.
no crontab for root
active-directory-computer-creation_ldap_update_26940_crontab_update2.txt                                                                                             100%  117     0.1KB/s   00:00
----------------------------------------
Creating keytab file on scspc400.cs.uwaterloo.ca
----------------------------------------
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e des-cbc-md5
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e rc4-hmac
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e des-cbc-crc
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e des3-cbc-sha1
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e aes256-cts
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
<p host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA -k 1 -e aes128-cts
Password for host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA:
ktutil:  wkt /etc/krb5.keytab
ktutil:  q
(root)@cscf[207]% 
</pre>
</pre>

---++ Check the AD installation
---+++ Did the machine get a Kerberos ticket?
This is what it looks like if it has a ticket.
<pre>
cscf.cs# ssh scspc400
root@scspc400:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
09/21/11 15:23:29  09/22/11 01:23:30  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
    renew until 09/22/11 15:23:29
root@scspc400:~#
root@scspc400:~# klist -k
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
   1 host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA

oot@scspc400:~# getent passwd ctucker
ctucker:*:8324:8324:ctucker:/u4/ctucker:/xhbin/csh
root@scspc400:~#
</pre>

If no ticket is obtained it may be that the krb5-user file is not installed. See "Problems and Solutions" below.

---+++ Test a remote login
<pre>
root@scspc400:~# tail -f /var/log/auth.log
...
Sep 21 15:27:12 scspc400 sshd[7473]: PAM adding faulty module: /lib/security/pam_foreground.so
Sep 21 15:27:17 scspc400 sshd[7473]: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
Sep 21 15:27:17 scspc400 sshd[7473]: pam_krb5(sshd:auth): (user gboerke) attempting authentication as gboerke@CS.UWATERLOO.CA
Sep 21 15:27:17 scspc400 sshd[7473]: pam_krb5(sshd:auth): user gboerke authenticated as gboerke@CS.UWATERLOO.CA
Sep 21 15:27:17 scspc400 sshd[7473]: pam_krb5(sshd:auth): pam_sm_authenticate: exit (success)
Sep 21 15:27:17 scspc400 sshd[7473]: Accepted password for gboerke from 129.97.15.216 port 55623 ssh2
Sep 21 15:27:18 scspc400 sshd[7473]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x2)
Sep 21 15:27:18 scspc400 sshd[7473]: pam_krb5(sshd:setcred): (user gboerke) initializing ticket cache FILE:/tmp/krb5cc_1619_zB7473
Sep 21 15:27:18 scspc400 sshd[7473]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
Sep 21 15:27:18 scspc400 sshd[7473]: pam_mkhomedir(sshd:session): unknown option: mask=0022
Sep 21 15:27:18 scspc400 sshd[7473]: pam_krb5(sshd:session): pam_sm_open_session: entry (0x0)
Sep 21 15:27:18 scspc400 sshd[7473]: pam_krb5(sshd:session): pam_sm_open_session: exit (success)
Sep 21 15:27:18 scspc400 sshd[7477]: pam_krb5(sshd:setcred): pam_sm_setcred: entry (0x2)
Sep 21 15:27:18 scspc400 sshd[7477]: pam_krb5(sshd:setcred): pam_sm_setcred: exit (success)
</pre>

---+++ As seen on the remote terminal
<pre>
gboerke@herbert:~$ ssh gboerke@scspc400
The authenticity of host 'scspc400 (129.97.170.65)' can't be established.
RSA key fingerprint is 17:9c:eb:dc:f7:58:c7:f4:4b:9a:5e:fc:31:31:ac:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'scspc400,129.97.170.65' (RSA) to the list of known hosts.
gboerke@scspc400's password:
% 
</pre>

---+++ Check the cron table
<pre>
root@scspc400:~# crontab -l
39 13 * * * /usr/bin/kinit -k host/ubuntu_scspc400.cs.uwaterloo.ca@CS.UWATERLOO.CA
0-55/5 * * * * /root/nscdcheck.sh
</pre>

---++ Final setup steps

---+++ Access control

If the user is not in a group, such as users_plg in this example, then put in the userid in place of users_plg for a single user machine.  If you need to create a new group, see: CreatingGroupAccounts
<pre>
root@scspc400:/etc/security# vi access.conf

Add this...
+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : ALL
+ : staff_cscf : ALL
+ : users_plg : ALL
- : ALL : ALL
</pre>

---+++ Sudo access

If there is a group admin in AD add it here as in this example "admin_plg" group.  Replace the "userid" with the user's id for a single user machines.  Otherwise, use "admin_group" (replacing with the appropriate group).  If you need to create a new group, see: CreatingGroupAccounts

<pre>
root@scspc400:/etc# visudo

Add this...
# CSCF Staff sudoer privileges
%staff_cscf ALL=(ALL) ALL

# PLG Admins sudoer privileges
%admin_plg ALL=(ALL) ALL
userid ALL=(ALL) ALL 
</pre>
</pre>

%userid is the user's group and should not be included in the /etc/sudoers file.</br></br>

Note: this allows users sudo access in a terminal session, but not in the GUI.</br>
Add the userid to the sudo group in /etc/group in Ubuntu 12.04 and later versions.</br>
Add the userid to the admin group in /etc/group in Ubuntu OS versions prior to 12.04

<pre>
root@scspc400:/etc# useradd userid sudo
root@scspc400:/etc# useradd userid admin
</pre>


---++ Problems and Solutions

---+++ No Kerberos ticket
If the script ends with this:
<pre>
----------------------------------------
Creating keytab file on rsg-pc062.cs.uwaterloo.ca
----------------------------------------
rm: cannot remove `/etc/krb5.keytab': No such file or directory
bash: ktutil: command not found
chown: cannot access `/etc/krb5.keytab': No such file or directory
chmod: cannot access `/etc/krb5.keytab': No such file or directory
bash: kinit: command not found
cscf.cs# 
</pre>

At the machine run "klist" and it will show that "apt-get install krb5-user" must be run.</br>
This may require enabling the sources list via "Ubuntu Software Centre" in the main menu or System > Administration > Update Manager > Settings button.</br>

---+++ Problems with the AD servers intacta or viridis
Sometimes the server is slow or just not behaving. If the script starts to use intacta stop it (ctrl-c).  Try again until it selects serverus.</br>
I've also had viridis work, with it getting the kerberos key, but no login i.e. getent passwd gboerke.</br>

---+++ Other things to check

---++++ Make sure all of the home directory links have been created

Make sure the /u /xhbin are created.</br>

On a typical Ubuntu system the base for home directories is /home.  In the CS Active Directory, we store the absolute path used in the CS core machines.  The users there are broken into nine directories: /u1 ... /u9.  Also, we are used to being able to =cd /u/userid=.  So, we will create pointers from u, u1-u9 into /home:

<pre>
root@scspc239:/xhbin#  for i in u u1 u2 u3 u4 u5 u6 u7 u8 u9; do ln -s /home /$i; done
root@scspc239:/xhbin# ls -ld /u*
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u1 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u2 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u3 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u4 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u5 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u6 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u7 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u8 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u9 -> /home
root@scspc239:/xhbin# 
</pre>

---++++ Make sure the links to /xhbin shells have been created

This will keep all our home directories in the same place regardless of how they are created (locally or by AD login)
They should look like this:</br>
<pre>
root@scspc368:/# ls -al xhbin
total 8
drwxr-xr-x  2 root root 4096 May 14 06:31 .
drwxr-xr-x 26 root root 4096 May 14 06:35 ..
lrwxrwxrwx  1 root root    9 May 14 06:31 bash -> /bin/bash
lrwxrwxrwx  1 root root    8 May 14 06:31 csh -> /bin/csh
lrwxrwxrwx  1 root root    9 May 14 06:31 dash -> /bin/dash
lrwxrwxrwx  1 root root   10 May 14 06:31 false -> /bin/false
lrwxrwxrwx  1 root root    8 May 14 06:31 ksh -> /bin/ksh
lrwxrwxrwx  1 root root    7 May 14 06:31 sh -> /bin/sh
lrwxrwxrwx  1 root root    9 May 14 06:31 tcsh -> /bin/tcsh
lrwxrwxrwx  1 root root    8 May 14 06:31 zsh -> /bin/zsh
</pre>

---++++ Fix the login screen
Since Ubuntu 12.04 Unity we require /etc/lightdm/lightdm.conf to look like this:
<pre>
[SeatDefaults]
user-session=ubuntu
greeter-session=unity-greeter
autologin-user=
greeter-show-manual-login=true
allow-guest=false 
</pre>

---++++ User can't install applications nor run updates
They need to be added to the sudo or admin group in /etc/groups.

---++++ To set the user's default shell.
If a user would like to have their default shell changed, you can do the following:

<pre>
The current solution is to log into a Solaris machine and set the shell.
You can find the unix attributes for a user by going into AD (login to najas for CS-GENERAL) and open the MMC Console:

    * Start -> Run: mmc
    * File -> Add&Remove Snapin
          o Click Add
          o Select: ADSI Edit -> Click: Add
          o Close -> OK
    * Right-Click ADSI Edit
          o Select: Connect To:
          o A dialogue box should appear with Path: LDAP://VIRIDIS.cs.uwaterloo.ca/Domain
          o Click: OK
    * Note: if you want to keep this handy, click File -> Save As -> save to your desktop; MMC Console.mmc (or similar)
    * Click [+] to open: ADSI Edit -> Domain -> DC -> OU=CS -> OU=Users
    * Scroll down to the user you are interested in
    * Right-click on the user -> Properties
          o Unix uid: uidNumber
          o Unix gid: gidNumber
          o Home directory: unixHomeDirectory
          o Shell: loginShell

</pre>
-- Main.GordBoerke - 21 Sep 2012
Topic revision: r11 - 2024-10-30 - MariHassanzada
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit