Setting up a GradPC using the CS-GENERAL Active Directory
Background
This page documents the setup of a
standard grad PC with the X2GEN010.gho image to use the CS Active Directory. I'm following the notes here:
ADAddUbuntu and
ADAddSolaris10. The headings in this document will mirror those in the two referenced documents. What follows is a detailed step-by-step set of instructions. The other two documents provide background and theory that this does not attempt to duplicate. They should be referenced if you run into anything that doesn't go as expected. In the examples below, we are setting up scspc239.cs. Adjust the commands for the machine you are working with.
Initial Steps
The command:
ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=lfolland
worked out-of-the-box
Requisite Software
In
ADAddUbuntu it says the following are needed:
- sudo apt-get -y install ldap-utils install krb5-user libnss-ldap libpam-krb5 libpam-foreground ntp
Individually:
- ldap-utils $sudo apt-get -y install ldap-utils
- krb5-user $sudo apt-get -y install krb5-user
- libnss-ldap $sudo apt-get -y install libnss-ldap
- libpam-krb5 $sudo apt-get -y install libpam-krb5
- libpam-foreground $sudo apt-get -y install libpam-foreground
- ntp $sudo apt-get install ntp
They all seem to be installed, so I'll skip that unless needed:
cscf-adm@scspc239:~$ dpkg -l|egrep "ldap-utils|krb5-user|libnss-ldap|libpam-krb5|libpam-foreground|ntp"
ii krb5-user 1.6.dfsg.4~beta1-5ubuntu2 Basic programs to authenticate using MIT Kerberos
ii ldap-utils 2.4.15-1ubuntu3 OpenLDAP utilities
ii libnss-ldap 261-2.1ubuntu1 NSS module for using LDAP as a naming service
ii libpam-foreground 0.5 create lockfiles describing which users own which console
ii libpam-krb5 3.13-2ubuntu1 PAM module for MIT Kerberos
ii ntp 1:4.2.4p4+dfsg-7ubuntu5.1 Network Time Protocol daemon and utility programs
ii ntpdate 1:4.2.4p4+dfsg-7ubuntu5.1 client for setting system time from NTP servers
Also openssh-server is required.
Configuration Of The Ubuntu NSS (Network Services Switch)
Before:
root@scspc239:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
...
passwd: compat
group: compat
shadow: compat
...
After:
root@scspc239:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
...
passwd: files ldap
group: files ldap
shadow: files ldap
...
DNS configuration
It says that the following should appear:
hosts: dns files
Not sure if this is ok or not (this is what we have by default):
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
which says to search files before dns - is that a problem?
Checking /etc/hostname and /etc/hosts:
Before:
root@scspc239:~# cat /etc/hostname
scspc239.cs
root@scspc239:~# cat /etc/hosts
127.0.0.1 scspc239.cs localhost.localdomain localhost
127.0.1.1 scspc239.cs
...
After:
root@scspc239:~# cat /etc/hosts
129.97.169.219 scspc239.cs scspc239.cs.uwaterloo.ca
127.0.0.1 scspc239.cs localhost.localdomain localhost
127.0.1.1 scspc239.cs
...
Configuration Of Ubuntu LDAP Client
We now need to update /etc/ldap.conf
You will need to update /etc/ldap.conf as per
ADAddUbuntu#Configuration_Of_Ubuntu_LDAP_Cli
In particular, you will need to fix the "base" and "uri" lines, and then uncomment all of the lines in the
# RFC 2307 (AD) mappings
section, note that you need to put "memberUid" rather than "member" as it is in the file (not sure why)
(ie:
nss_map_attribute uniqueMember memberUid
) also you will need to add the line:
nss_map_attribute cn displayName
Also, I removed the line ##DEBCONF## at the begininning and editted the file manually as I couldn't find exactly what utility would be used to update the file using dpkg-reconfigure
Before:
root@scspc239:~# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=example,dc=net
uri ldapi:///
ldap_version 3
rootbinddn cn=manager,dc=example,dc=net
pam_password md5
nss_initgroups_ignoreusers Debian-exim,avahi,avahi-autoipd,backup,bin,daemon,davfs2,debian-xfs,distccd,festival,fetchmail,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,proxy,pulse,root,saned,snmp,sshd,sync,sys,syslog,uucp,vde2-net,www-data
After:
root@scspc239:/etc# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=cs,dc=uwaterloo,dc=ca
uri ldap://ldap.cs.uwaterloo.ca/
ldap_version 3
bind_policy soft
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember memberUid
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
So, at this point, we should be able to test using:
getent passwd username
root@scspc239:/etc/X11# getent passwd lfolland
lfolland:*:1234:1234:Lawrence Folland,DC 2563:/u3/lfolland:/xhbin/bash
And just checking the group information:
root@scspc239:/etc/X11# getent group | grep "^lfolland"
lfolland:*:1234:
If the getent passwd userid does not work for one user, but does work for other users:
Make sure the user account has been created in AD and the core-cs
If the userid is valid check that the user's GID has propagated to AD (check this in najas). If it hasn't getent will fail.
Configuration Of The Ubuntu Kerberos Client
apt-get -y install ntp
(unnecessary in X2GEN010.GHO image)
update /etc/ntp.conf
Before:
# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com
After:
# You do need to talk to an NTP server or two (or three).
server ntp.student.cs.uwaterloo.ca
server ntp.cs.uwaterloo.ca
server ntp.ubuntu.com
Restart NTP:
root@scspc239:/etc/X11# /etc/init.d/ntp stop
* Stopping NTP server ntpd
...done.
root@scspc239:/etc/X11# ntpdate ntp.student.cs.uwaterloo.ca
22 Oct 11:50:39 ntpdate[563]: adjust time server 129.97.152.10 offset -0.134501 sec
root@scspc239:/etc/X11# /etc/init.d/ntp start
* Starting NTP server ntpd
...done.
Creation Of Active Directory Kerberos Credentials For The Ubuntu Computer
Note: following the directions here:
https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each
which has a lot of the background info
- login to najas.cs (our AD server) with your -adm account (admin privilges)
- Start -> Programs -> Administrative Tools -> Active Directory Users and Computers
- Navigate to cs.uwaterloo.ca -> CS -> Linux Hosts
- Right-click on Linux Hosts and choose New -> User (yes, User)
- if the machine you are creating is called "scspc239.cs", enter "scspc239-host" as the "Full name" and the "Userlogon name", click Next
- Use a complex password (we have handy stickers for that purpose). You will need to know this password later.
- Uncheck "User must change password at next login"
- Click Next, then Finish. It should now show up in the list of Linux Hosts
- Right-click on your new machine-host record and click "Properties", or just double-click on the item
- Click on the Account tab
- Scroll down the list of Account options and check "Do not require Kerberos preauthentication"
- Click on the General tab and enter something like "Kerberos host principal for Linux host scspc239.cs.uwaterloo.ca" in the Description then click "Ok"
Create A keytab File for the Ubuntu Host
On najas.cs, open a command window and enter the following all on a single command line. In the following example, the machine we're setting up is "scspc239". The password you used previously goes where it says "yourpasswordhere":
ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA -mapuser CS-GENERAL\scspc239-host -pass yourpasswordhere -out c:\temp\krb5.keytab
Output:
Targeting domain controller: intacta.cs.uwaterloo.ca
Successfully mapped host/scspc239.cs.uwaterloo.ca to scspc239-host.
Key created.
Output keytab to c:\temp\krb5.keytab:
Keytab version: 0x502
keysize 72 host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x
51dfd67a4a899729)
Account scspc239-host has been set for DES-only encryption.
You now need to copy that resulting file (c:\temp\krb5.keytab) to the machine you're setting up. I used the
SSH Client, connect to the machine I'm setting up (scspc239), then clicked on the File Transfer Window and copied the files over. It needs to go here: /etc/krb5.keytab on the new system (not /etc/krb5/krb5.keytab as it would be in Solaris). Make sure the permissions are 600:
# chmod 600 /etc/krb5.keytab
and owned by root:
chown root:root /etc/krb5.keytab
Configure The Ubuntu Kerberos Client
Copy the entire /etc/krb5.conf file to replace the existing version. You can find it here:
https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete
Initialize the Kerberos client
In this case, we're setting up scspc239.cs, so the command is:
#kinit -k -t /etc/krb5.keytab host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA
If it fails with message: kinit: KDC has no support for encryption type while getting initial credentials
Use another encryption method. From the notes https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete (replace computername with scspc239 and KVNO_number with the actual number e.g. 4)
1. Obtain the KVNO number for the host's SPN from the existing keytab file with the command klist -k -t /etc/krb5.keytab
2. Set aside the existing keytab file by renaming it
3. Enter the ktutil command to enter into the ktutil interface
4. Within the ktutil interface, create a new key entry and write it back to /etc/krb5.keytab
* addent -password -p host/computername.cs.uwaterloo.ca@CS.UWATERLOO.CA -k KVNO_number -e rc4-hmac
* At the password prompt supply the password for the Active Directory computername-host account
* wkt /etc/krb5.keytab
* q (quit command)
Interesting that this may not fix it until the properties in najas for scspc239-host are adjusted by removing the DES encryption check in Properties (right-click):Account tab:Account Options.
Success?
Run the
klist
command. You should see something similar to:
root@scspc239:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA
Valid starting Expires Service principal
10/22/09 16:37:35 10/23/09 02:37:35 krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
renew until 10/23/09 16:37:35
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Configuration Of The Ubuntu PAM Stack
Reference:
ADAddUbuntu#Configuration_Of_The_Ubuntu_PAM
I started by making a backup of all of the config files:
# cd /etc/pam.d
# for i in common-auth common-account common-session common-password sudo; do cp $i $i.orig; done
Update all of the following files so that all other lines are commented out, and then add the indicated lines to the bottom of the file (I usually add a comment line before that to refer to this being a CSCF custom config and the date and author)
/etc/pam.d/common-auth
auth sufficient pam_krb5.so forwardable ignore_root debug
auth required pam_unix.so try_first_pass nullok_secure
account required pam_access.so
/etc/pam.d/common-account
account sufficient pam_ldap.so debug
account required pam_unix.so
/etc/pam.d/common-session
session required pam_mkhomedir.so nmask=0022 skel=/etc/skel/ silent
session sufficient pam_krb5.so debug
session required pam_unix.so
session optional pam_foreground.so
/etc/pam.d/common-password
password sufficient pam_krb5.so ignore_root debug
password required pam_unix.so nullok obscure min=4 max=8 md5
Additional Configurations For CSCF Ubuntu Workstations
I've included some of the changes listed here:
ADAddUbuntu#Additional_Configurations_For_CS into the above. There are a few other necessary changes.
/etc/pam.d/sudo
Before:
root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0
@include common-auth
@include common-account
session required pam_permit.so
session required pam_limits.so
After:
root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0
# Custom config for CSCF
# lfolland (2009/10/23)
# include common-auth
auth sufficient pam_krb5.so forwardable ignore_root debug
auth required pam_unix.so try_first_pass nullok_secure
@include common-account
/etc/security/access.conf
root@scspc239:/etc/pam.d# cd /etc/security
root@scspc239:/etc/security# cp access.conf access.conf.orig
By default, the entire file is commented out, so add the following to the end:
+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : 129.97.0.0/16
+ : staff_cscf : ALL
+ : users_researchgroup : ALL
- : ALL : ALL
Note: replace "users_researchgroup" with the group in Active Directory that contains the list of users for that research group. By convention, we will call those groups "users_name-of-group", eg: "users_watform" or "users_plg". This group will need to be created, with a permanent GID. For now, send email to
accounts@cs to request group creation. If the user has no group replace users_researchgroup with the user's ID.
Update the sudoers file
We'd like to provide sudo access to CSCF staff as well as the list of admin users for the specific research group
#visudo
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# CS Active directory groups with sudo privileges
%staff_cscf ALL=(ALL) ALL
%admin_plg ALL=(ALL) ALL
If the user is not in an admin group, i.e. not in PLG or AI etc., then replace %admin_plg with the user's ID without the percent sign
Additional Configurations For Enabling Single Sign On (SSO)
While this may not be strictly necessary, it would be helpful to the user if they can move from one machine to another when it is in the same Kerberos realm. Practically speaking, that will be all machines setup in a way similar to this - authenticating to our Active Directory. Most of the machines in the CS Core do not
yet do this, but it is the direction. And, certainly, as we migrate research groups to this approach it will allow easy movement between machines
Reference:
ADAddUbuntu#Additional_Configurations_For_En
In the file
/etc/ssh/sshd_config
, in the section: # GSSAPI options
make the following changes:
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
The notes say to set
UsePAM
to yes, but that is already set, so it's ok.
Create standard Shells
Our Active Directory stores the user's login shell. However, given that it was originally setup for use on the CS core servers, these are usually kept in the /xhbin directory. Therefore you will need a link to the local version of: bash, sh, csh, tcsh as a minimum.
root@scspc239:~# mkdir /xhbin
root@scspc239:~# which bash
/bin/bash
root@scspc239:~# ln -s /bin/bash /xhbin/bash
root@scspc239:~# which csh
/bin/csh
root@scspc239:~# ln -s /bin/csh /xhbin/csh
root@scspc239:~# which sh
/bin/sh
root@scspc239:~# ln -s /bin/sh /xhbin/sh
root@scspc239:~# which tcsh
/usr/bin/tcsh
root@scspc239:~# ln -s /usr/bin/tcsh /xhbin/tcsh
root@scspc239:~# cd /xhbin
root@scspc239:/xhbin# ls -l
total 0
lrwxrwxrwx 1 root root 9 2009-10-26 10:17 bash -> /bin/bash
lrwxrwxrwx 1 root root 8 2009-10-26 10:17 csh -> /bin/csh
lrwxrwxrwx 1 root root 7 2009-10-26 10:16 sh -> /bin/sh
lrwxrwxrwx 1 root root 13 2009-10-26 10:15 tcsh -> /usr/bin/tcsh
Create home directory pointers
On a typical Ubuntu system the base for home directories is /home. In the CS Active Directory, we store the absolute path used in the CS core machines. The users there are broken into nine directories: /u1 ... /u9. Also, we are used to being able to
cd /u/userid
. So, we will create pointers from u, u1-u9 into /home:
root@scspc239:/xhbin# for i in u u1 u2 u3 u4 u5 u6 u7 u8 u9; do ln -s /home /$i; done
root@scspc239:/xhbin# ls -ld /u*
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u1 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u2 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u3 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u4 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u5 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u6 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u7 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u8 -> /home
lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u9 -> /home
root@scspc239:/xhbin#
This will keep all our home directories in the same place regardless of how they are created (locally or by AD login)
Test your setup
Check to make sure LDAP is still working:
getent passwd someuserid
Test logging in to your new system:
@cscf[104]% ssh scspc239
lfolland@scspc239's password:
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/X11/xauth: creating new authority file /u3/lfolland/.Xauthority
lfolland@scspc239:~$
- and it works!