Setting up a GradPC using the CS-GENERAL Active Directory

Background

This page documents the setup of a standard grad PC with the X2GEN010.gho image to use the CS Active Directory. I'm following the notes here: ADAddUbuntu and ADAddSolaris10. The headings in this document will mirror those in the two referenced documents. What follows is a detailed step-by-step set of instructions. The other two documents provide background and theory that this does not attempt to duplicate. They should be referenced if you run into anything that doesn't go as expected. In the examples below, we are setting up scspc239.cs. Adjust the commands for the machine you are working with.

Initial Steps

The command: ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=lfolland worked out-of-the-box

Requisite Software

In ADAddUbuntu it says the following are needed:

• sudo apt-get -y install ldap-utils install krb5-user libnss-ldap libpam-krb5 libpam-foreground ntp

Individually:

• ldap-utils $sudo apt-get -y install ldap-utils
• krb5-user $sudo apt-get -y install krb5-user
• libnss-ldap $sudo apt-get -y install libnss-ldap
• libpam-krb5 $sudo apt-get -y install libpam-krb5
• libpam-foreground $sudo apt-get -y install libpam-foreground
• ntp $sudo apt-get install ntp

They all seem to be installed, so I'll skip that unless needed:

cscf-adm@scspc239:~$ dpkg -l|egrep "ldap-utils|krb5-user|libnss-ldap|libpam-krb5|libpam-foreground|ntp"
ii  krb5-user                                  1.6.dfsg.4~beta1-5ubuntu2                 Basic programs to authenticate using MIT Kerberos
ii  ldap-utils                                 2.4.15-1ubuntu3                           OpenLDAP utilities
ii  libnss-ldap                                261-2.1ubuntu1                            NSS module for using LDAP as a naming service
ii  libpam-foreground                          0.5                                       create lockfiles describing which users own which console
ii  libpam-krb5                                3.13-2ubuntu1                             PAM module for MIT Kerberos
ii  ntp                                        1:4.2.4p4+dfsg-7ubuntu5.1                 Network Time Protocol daemon and utility programs
ii  ntpdate                                    1:4.2.4p4+dfsg-7ubuntu5.1                 client for setting system time from NTP servers

Also openssh-server is required.

Configuration Of The Ubuntu NSS (Network Services Switch)

• nsswitch.conf: /etc/nsswitch.conf

Before:

root@scspc239:~# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
...
passwd:         compat
group:          compat
shadow:         compat

...

After:

root@scspc239:~# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
...
passwd:         files ldap
group:          files ldap
shadow:         files ldap

...

DNS configuration

It says that the following should appear: hosts: dns files

Not sure if this is ok or not (this is what we have by default): hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4 which says to search files before dns - is that a problem?

Checking /etc/hostname and /etc/hosts:

Before:

root@scspc239:~# cat /etc/hostname
scspc239.cs
root@scspc239:~# cat /etc/hosts
127.0.0.1   scspc239.cs   localhost.localdomain   localhost
127.0.1.1   scspc239.cs
...

After:

root@scspc239:~# cat /etc/hosts
129.97.169.219 scspc239.cs scspc239.cs.uwaterloo.ca
127.0.0.1   scspc239.cs   localhost.localdomain   localhost
127.0.1.1   scspc239.cs
...

Configuration Of Ubuntu LDAP Client

We now need to update /etc/ldap.conf

You will need to update /etc/ldap.conf as per ADAddUbuntu#Configuration_Of_Ubuntu_LDAP_Cli

In particular, you will need to fix the "base" and "uri" lines, and then uncomment all of the lines in the # RFC 2307 (AD) mappings section, note that you need to put "memberUid" rather than "member" as it is in the file (not sure why) (ie: nss_map_attribute uniqueMember memberUid ) also you will need to add the line: nss_map_attribute cn displayName

Also, I removed the line ##DEBCONF## at the begininning and editted the file manually as I couldn't find exactly what utility would be used to update the file using dpkg-reconfigure

Before:

root@scspc239:~# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=example,dc=net
uri ldapi:///
ldap_version 3
rootbinddn cn=manager,dc=example,dc=net
pam_password md5
nss_initgroups_ignoreusers Debian-exim,avahi,avahi-autoipd,backup,bin,daemon,davfs2,debian-xfs,distccd,festival,fetchmail,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,proxy,pulse,root,saned,snmp,sshd,sync,sys,syslog,uucp,vde2-net,www-data

After:

root@scspc239:/etc# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=cs,dc=uwaterloo,dc=ca
uri ldap://ldap.cs.uwaterloo.ca/
ldap_version 3
bind_policy soft
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember memberUid
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

So, at this point, we should be able to test using: getent passwd username

root@scspc239:/etc/X11# getent passwd lfolland
lfolland:*:1234:1234:Lawrence Folland,DC 2563:/u3/lfolland:/xhbin/bash

And just checking the group information:

root@scspc239:/etc/X11# getent group | grep "^lfolland"
lfolland:*:1234:

If the getent passwd userid does not work for one user, but does work for other users:

Make sure the user account has been created in AD and the core-cs
If the userid is valid check that the user's GID has propagated to AD (check this in najas). If it hasn't getent will fail.

Configuration Of The Ubuntu Kerberos Client

apt-get -y install ntp (unnecessary in X2GEN010.GHO image)

update /etc/ntp.conf

Before:

# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com

After:

# You do need to talk to an NTP server or two (or three).
server ntp.student.cs.uwaterloo.ca
server ntp.cs.uwaterloo.ca
server ntp.ubuntu.com

Restart NTP:

root@scspc239:/etc/X11# /etc/init.d/ntp stop
 * Stopping NTP server ntpd
   ...done.
root@scspc239:/etc/X11# ntpdate ntp.student.cs.uwaterloo.ca
22 Oct 11:50:39 ntpdate[563]: adjust time server 129.97.152.10 offset -0.134501 sec
root@scspc239:/etc/X11# /etc/init.d/ntp start
 * Starting NTP server ntpd
   ...done.

Creation Of Active Directory Kerberos Credentials For The Ubuntu Computer

Note: following the directions here: https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each which has a lot of the background info

• login to najas.cs (our AD server) with your -adm account (admin privilges)
• Start -> Programs -> Administrative Tools -> Active Directory Users and Computers
• Navigate to cs.uwaterloo.ca -> CS -> Linux Hosts
• Right-click on Linux Hosts and choose New -> User (yes, User)
• if the machine you are creating is called "scspc239.cs", enter "scspc239-host" as the "Full name" and the "Userlogon name", click Next
• Use a complex password (we have handy stickers for that purpose). You will need to know this password later.
• Uncheck "User must change password at next login"
• Click Next, then Finish. It should now show up in the list of Linux Hosts
• Right-click on your new machine-host record and click "Properties", or just double-click on the item
• Click on the Account tab
• Scroll down the list of Account options and check "Do not require Kerberos preauthentication"
• Click on the General tab and enter something like "Kerberos host principal for Linux host scspc239.cs.uwaterloo.ca" in the Description then click "Ok"

Create A keytab File for the Ubuntu Host

On najas.cs, open a command window and enter the following all on a single command line. In the following example, the machine we're setting up is "scspc239". The password you used previously goes where it says "yourpasswordhere":

ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA -mapuser CS-GENERAL\scspc239-host -pass yourpasswordhere -out c:\temp\krb5.keytab

Output:

Targeting domain controller: intacta.cs.uwaterloo.ca
Successfully mapped host/scspc239.cs.uwaterloo.ca to scspc239-host.
Key created.
Output keytab to c:\temp\krb5.keytab:
Keytab version: 0x502
keysize 72 host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x
51dfd67a4a899729)
Account scspc239-host has been set for DES-only encryption.

You now need to copy that resulting file (c:\temp\krb5.keytab) to the machine you're setting up. I used the SSH Client, connect to the machine I'm setting up (scspc239), then clicked on the File Transfer Window and copied the files over. It needs to go here: /etc/krb5.keytab on the new system (not /etc/krb5/krb5.keytab as it would be in Solaris). Make sure the permissions are 600: # chmod 600 /etc/krb5.keytab and owned by root: chown root:root /etc/krb5.keytab

Configure The Ubuntu Kerberos Client

Copy the entire /etc/krb5.conf file to replace the existing version. You can find it here: https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete

Initialize the Kerberos client

In this case, we're setting up scspc239.cs, so the command is: #kinit -k -t /etc/krb5.keytab host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA

If it fails with message: kinit: KDC has no support for encryption type while getting initial credentials

Use another encryption method. From the notes https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete  (replace computername with scspc239 and KVNO_number with the actual number e.g. 4)

   1. Obtain the KVNO number for the host's SPN from the existing keytab file with the command klist -k -t /etc/krb5.keytab
   2. Set aside the existing keytab file by renaming it
   3. Enter the ktutil command to enter into the ktutil interface
   4. Within the ktutil interface, create a new key entry and write it back to /etc/krb5.keytab
          * addent -password -p host/computername.cs.uwaterloo.ca@CS.UWATERLOO.CA -k KVNO_number -e rc4-hmac
          * At the password prompt supply the password for the Active Directory computername-host account
          * wkt /etc/krb5.keytab
          * q (quit command)

Interesting that this may not fix it until the properties in najas for scspc239-host are adjusted by removing the DES encryption check in Properties (right-click):Account tab:Account Options.

Success?

Run the klist command. You should see something similar to:

root@scspc239:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
10/22/09 16:37:35  10/23/09 02:37:35  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 10/23/09 16:37:35


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Configuration Of The Ubuntu PAM Stack

Reference: ADAddUbuntu#Configuration_Of_The_Ubuntu_PAM

I started by making a backup of all of the config files:

# cd /etc/pam.d
# for i in common-auth  common-account common-session common-password sudo; do cp $i $i.orig; done

Update all of the following files so that all other lines are commented out, and then add the indicated lines to the bottom of the file (I usually add a comment line before that to refer to this being a CSCF custom config and the date and author)

/etc/pam.d/common-auth

auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
account  required        pam_access.so

/etc/pam.d/common-account

account     sufficient    pam_ldap.so debug
account     required      pam_unix.so

/etc/pam.d/common-session

session required      pam_mkhomedir.so nmask=0022 skel=/etc/skel/ silent
session sufficient  pam_krb5.so debug
session required  pam_unix.so
session optional  pam_foreground.so

/etc/pam.d/common-password

password   sufficient pam_krb5.so ignore_root debug
password   required   pam_unix.so nullok obscure min=4 max=8 md5

Additional Configurations For CSCF Ubuntu Workstations

I've included some of the changes listed here: ADAddUbuntu#Additional_Configurations_For_CS into the above. There are a few other necessary changes.

/etc/pam.d/sudo

Before:

root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so

After:

root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0

# Custom config for CSCF
# lfolland (2009/10/23)
# include common-auth
auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
@include common-account

/etc/security/access.conf

root@scspc239:/etc/pam.d# cd /etc/security root@scspc239:/etc/security# cp access.conf access.conf.orig By default, the entire file is commented out, so add the following to the end:

+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : 129.97.0.0/16
+ : staff_cscf : ALL
+ : users_researchgroup : ALL
- : ALL : ALL

Note: replace "users_researchgroup" with the group in Active Directory that contains the list of users for that research group. By convention, we will call those groups "users_name-of-group", eg: "users_watform" or "users_plg". This group will need to be created, with a permanent GID. For now, send email to accounts@cs to request group creation. If the user has no group replace users_researchgroup with the user's ID.

Update the sudoers file

We'd like to provide sudo access to CSCF staff as well as the list of admin users for the specific research group

#visudo

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# CS Active directory groups with sudo privileges
%staff_cscf ALL=(ALL) ALL
%admin_plg ALL=(ALL) ALL

If the user is not in an admin group, i.e. not in PLG or AI etc., then replace %admin_plg with the user's ID without the percent sign

Additional Configurations For Enabling Single Sign On (SSO)

While this may not be strictly necessary, it would be helpful to the user if they can move from one machine to another when it is in the same Kerberos realm. Practically speaking, that will be all machines setup in a way similar to this - authenticating to our Active Directory. Most of the machines in the CS Core do not yet do this, but it is the direction. And, certainly, as we migrate research groups to this approach it will allow easy movement between machines

Reference: ADAddUbuntu#Additional_Configurations_For_En

In the file /etc/ssh/sshd_config, in the section: # GSSAPI options make the following changes:

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

The notes say to set UsePAM to yes, but that is already set, so it's ok.

Create standard Shells

Our Active Directory stores the user's login shell. However, given that it was originally setup for use on the CS core servers, these are usually kept in the /xhbin directory. Therefore you will need a link to the local version of: bash, sh, csh, tcsh as a minimum.

root@scspc239:~# mkdir /xhbin
root@scspc239:~# which bash
/bin/bash
root@scspc239:~# ln -s /bin/bash /xhbin/bash
root@scspc239:~# which csh
/bin/csh
root@scspc239:~# ln -s /bin/csh /xhbin/csh
root@scspc239:~# which sh
/bin/sh
root@scspc239:~# ln -s /bin/sh /xhbin/sh
root@scspc239:~# which tcsh
/usr/bin/tcsh
root@scspc239:~# ln -s /usr/bin/tcsh /xhbin/tcsh
root@scspc239:~# cd /xhbin
root@scspc239:/xhbin# ls -l
total 0
lrwxrwxrwx 1 root root  9 2009-10-26 10:17 bash -> /bin/bash
lrwxrwxrwx 1 root root  8 2009-10-26 10:17 csh -> /bin/csh
lrwxrwxrwx 1 root root  7 2009-10-26 10:16 sh -> /bin/sh
lrwxrwxrwx 1 root root 13 2009-10-26 10:15 tcsh -> /usr/bin/tcsh

Create home directory pointers

On a typical Ubuntu system the base for home directories is /home. In the CS Active Directory, we store the absolute path used in the CS core machines. The users there are broken into nine directories: /u1 ... /u9. Also, we are used to being able to cd /u/userid. So, we will create pointers from u, u1-u9 into /home:

root@scspc239:/xhbin#  for i in u u1 u2 u3 u4 u5 u6 u7 u8 u9; do ln -s /home /$i; done
root@scspc239:/xhbin# ls -ld /u*
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u1 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u2 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u3 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u4 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u5 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u6 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u7 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u8 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u9 -> /home
root@scspc239:/xhbin# 

This will keep all our home directories in the same place regardless of how they are created (locally or by AD login)

Test your setup

Check to make sure LDAP is still working: getent passwd someuserid

Test logging in to your new system:

@cscf[104]% ssh scspc239
lfolland@scspc239's password: 
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/X11/xauth:  creating new authority file /u3/lfolland/.Xauthority
lfolland@scspc239:~$ 

- and it works!