TWiki
>
CF Web
>
Research
>
ResearchGroups
>
ProgrammingLanguages
>
SettingUpADGradPCs
(revision 17) (raw view)
Edit
Attach
---+ Setting up a !GradPC using the CS-GENERAL Active Directory ---++ Background This page documents the setup of a *standard grad PC with the X2GEN010.gho image* to use the CS Active Directory. I'm following the notes here: ADAddUbuntu and ADAddSolaris10. The headings in this document will mirror those in the two referenced documents. What follows is a detailed step-by-step set of instructions. The other two documents provide background and theory that this does not attempt to duplicate. They should be referenced if you run into anything that doesn't go as expected. In the examples below, we are setting up scspc239.cs. Adjust the commands for the machine you are working with. %TOC% ---++ Initial Steps The command: =ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=lfolland= worked out-of-the-box ---+++ Requisite Software In CF.ADAddUbuntu it says the following are needed: * ldap-utils $sudo apt-get -y install ldap-utils * krb5-user $sudo apt-get -y install krb5-user * libnss-ldap $sudo apt-get -y install libnss-ldap * libpam-krb5 $sudo apt-get -y install libpam-krb5 * libpam-foreground $sudo apt-get -y install libpam-foreground * ntp $sudo apt-get install ntp They all seem to be installed, so I'll skip that unless needed: <pre> cscf-adm@scspc239:~$ dpkg -l|egrep "ldap-utils|krb5-user|libnss-ldap|libpam-krb5|libpam-foreground|ntp" ii krb5-user 1.6.dfsg.4~beta1-5ubuntu2 Basic programs to authenticate using MIT Kerberos ii ldap-utils 2.4.15-1ubuntu3 OpenLDAP utilities ii libnss-ldap 261-2.1ubuntu1 NSS module for using LDAP as a naming service ii libpam-foreground 0.5 create lockfiles describing which users own which console ii libpam-krb5 3.13-2ubuntu1 PAM module for MIT Kerberos ii ntp 1:4.2.4p4+dfsg-7ubuntu5.1 Network Time Protocol daemon and utility programs ii ntpdate 1:4.2.4p4+dfsg-7ubuntu5.1 client for setting system time from NTP servers Also openssh-server is required. </pre> ---+++ Configuration Of The Ubuntu NSS (Network Services Switch) Before: <pre> root@scspc239:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # ... passwd: compat group: compat shadow: compat ... </pre> After: <pre> root@scspc239:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # ... passwd: files ldap group: files ldap shadow: files ldap ... </pre> ---++++ DNS configuration It says that the following should appear: =hosts: dns files= Not sure if this is ok or not (this is what we have by default): =hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4= which says to search files before dns - is that a problem? Checking /etc/hostname and /etc/hosts: Before: <pre> root@scspc239:~# cat /etc/hostname scspc239.cs root@scspc239:~# cat /etc/hosts 127.0.0.1 scspc239.cs localhost.localdomain localhost 127.0.1.1 scspc239.cs ... </pre> After: <pre> root@scspc239:~# cat /etc/hosts 129.97.169.219 scspc239.cs scspc239.cs.uwaterloo.ca 127.0.0.1 scspc239.cs localhost.localdomain localhost 127.0.1.1 scspc239.cs ... </pre> ---+++ Configuration Of Ubuntu LDAP Client We now need to update /etc/ldap.conf You will need to update /etc/ldap.conf as per CF.ADAddUbuntu#Configuration_Of_Ubuntu_LDAP_Cli In particular, you will need to fix the "base" and "uri" lines, and then uncomment all of the lines in the =# RFC 2307 (AD) mappings= section, note that you need to put "memberUid" rather than "member" as it is in the file (not sure why) (ie: =nss_map_attribute uniqueMember memberUid= ) also you will need to add the line: =nss_map_attribute cn displayName= Also, I removed the line ##DEBCONF## at the begininning and editted the file manually as I couldn't find exactly what utility would be used to update the file using dpkg-reconfigure Before: <pre> root@scspc239:~# egrep -v '(^$|^#)' /etc/ldap.conf base dc=example,dc=net uri ldapi:/// ldap_version 3 rootbinddn cn=manager,dc=example,dc=net pam_password md5 nss_initgroups_ignoreusers Debian-exim,avahi,avahi-autoipd,backup,bin,daemon,davfs2,debian-xfs,distccd,festival,fetchmail,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,proxy,pulse,root,saned,snmp,sshd,sync,sys,syslog,uucp,vde2-net,www-data </pre> After: <pre> root@scspc239:/etc# egrep -v '(^$|^#)' /etc/ldap.conf base dc=cs,dc=uwaterloo,dc=ca uri ldap://ldap.cs.uwaterloo.ca/ ldap_version 3 bind_policy soft nss_map_objectclass posixAccount user nss_map_objectclass shadowAccount user nss_map_attribute uid sAMAccountName nss_map_attribute cn displayName nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute shadowLastChange pwdLastSet nss_map_objectclass posixGroup group nss_map_attribute uniqueMember memberUid pam_login_attribute sAMAccountName pam_filter objectclass=User pam_password ad </pre> So, at this point, we should be able to test using: =getent passwd username= <pre> root@scspc239:/etc/X11# getent passwd lfolland lfolland:*:1234:1234:Lawrence Folland,DC 2563:/u3/lfolland:/xhbin/bash </pre> And just checking the group information: <pre> root@scspc239:/etc/X11# getent group | grep "^lfolland" lfolland:*:1234: </pre> ---+++ Configuration Of The Ubuntu Kerberos Client =apt-get -y install ntp= (unnecessary in X2GEN010.GHO image) update /etc/ntp.conf Before: <pre> # You do need to talk to an NTP server or two (or three). server ntp.ubuntu.com </pre> After: <pre> # You do need to talk to an NTP server or two (or three). server ntp.student.cs.uwaterloo.ca server ntp.cs.uwaterloo.ca server ntp.ubuntu.com </pre> Restart NTP: <pre> root@scspc239:/etc/X11# /etc/init.d/ntp stop * Stopping NTP server ntpd ...done. root@scspc239:/etc/X11# ntpdate ntp.student.cs.uwaterloo.ca 22 Oct 11:50:39 ntpdate[563]: adjust time server 129.97.152.10 offset -0.134501 sec root@scspc239:/etc/X11# /etc/init.d/ntp start * Starting NTP server ntpd ...done. </pre> ---+++ Creation Of Active Directory Kerberos Credentials For The Ubuntu Computer Note: following the directions here: https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each which has a lot of the background info * login to najas.cs (our AD server) with your -adm account (admin privilges) * Start -> Programs -> Administrative Tools -> Active Directory Users and Computers * Navigate to cs.uwaterloo.ca -> CS -> Linux Hosts * Right-click on Linux Hosts and choose New -> User (yes, User) * if the machine you are creating is called "scspc239.cs", enter "scspc239-host" as the "Full name" and the "Userlogon name", click Next * Use a complex password (we have handy stickers for that purpose). You will need to know this password later. * Uncheck "User must change password at next login" * Click Next, then Finish. It should now show up in the list of Linux Hosts * Right-click on your new machine-host record and click "Properties", or just double-click on the item * Click on the Account tab * Scroll down the list of Account options and check "Do not require Kerberos preauthentication" * Click on the General tab and enter something like "Kerberos host principal for Linux host scspc239.cs.uwaterloo.ca" in the Description then click "Ok" ---+++ Create A keytab File for the Ubuntu Host On najas.cs, open a command window and enter the following all on a single command line. In the following example, the machine we're setting up is "scspc239". The password you used previously goes where it says "yourpasswordhere": =ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA -mapuser CS-GENERAL\scspc239-host -pass yourpasswordhere -out c:\temp\krb5.keytab= Output: <pre> Targeting domain controller: intacta.cs.uwaterloo.ca Successfully mapped host/scspc239.cs.uwaterloo.ca to scspc239-host. Key created. Output keytab to c:\temp\krb5.keytab: Keytab version: 0x502 keysize 72 host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x 51dfd67a4a899729) Account scspc239-host has been set for DES-only encryption. </pre> You now need to copy that resulting file (c:\temp\krb5.keytab) to the machine you're setting up. I used the SSH Client, connect to the machine I'm setting up (scspc239), then clicked on the File Transfer Window and copied the files over. It needs to go here: /etc/krb5.keytab on the new system (not /etc/krb5/krb5.keytab as it would be in Solaris). Make sure the permissions are 600: =# chmod 600 /etc/krb5.keytab= and owned by root: =chown root:root /etc/krb5.keytab= ---+++ Configure The Ubuntu Kerberos Client Copy the entire /etc/krb5.conf file to replace the existing version. You can find it here: https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete ---+++ Initialize the Kerberos client In this case, we're setting up scspc239.cs, so the command is: =#kinit -k -t /etc/krb5.keytab host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA= <pre> If it fails with message: kinit: KDC has no support for encryption type while getting initial credentials Use another encryption method. From the notes https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete (replace computername with scspc239 and KVNO_number with the actual number e.g. 4) 1. Obtain the KVNO number for the host's SPN from the existing keytab file with the command klist -k -t /etc/krb5.keytab 2. Set aside the existing keytab file by renaming it 3. Enter the ktutil command to enter into the ktutil interface 4. Within the ktutil interface, create a new key entry and write it back to /etc/krb5.keytab * addent -password -p host/computername.cs.uwaterloo.ca@CS.UWATERLOO.CA -k KVNO_number -e rc4-hmac * At the password prompt supply the password for the Active Directory computername-host account * wkt /etc/krb5.keytab * q (quit command) Interesting that this may not fix it until the properties in najas for scspc239-host are adjusted by removing the DES encryption check in Properties (right-click):Account tab:Account Options. </pre> ---++++ Success? Run the =klist= command. You should see something similar to: <pre> root@scspc239:/etc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA Valid starting Expires Service principal 10/22/09 16:37:35 10/23/09 02:37:35 krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA renew until 10/23/09 16:37:35 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached </pre> ---+++ Configuration Of The Ubuntu PAM Stack Reference: ADAddUbuntu#Configuration_Of_The_Ubuntu_PAM I started by making a backup of all of the config files: <pre> # cd /etc/pam.d # for i in common-auth common-account common-session common-password sudo; do cp $i $i.orig; done </pre> Update all of the following files so that all other lines are commented out, and then add the indicated lines to the bottom of the file (I usually add a comment line before that to refer to this being a CSCF custom config and the date and author) ---++++ /etc/pam.d/common-auth <pre> auth sufficient pam_krb5.so forwardable ignore_root debug auth required pam_unix.so try_first_pass nullok_secure account required pam_access.so </pre> ---++++ /etc/pam.d/common-account <pre> account sufficient pam_ldap.so debug account required pam_unix.so </pre> ---++++ /etc/pam.d/common-session <pre> session required pam_mkhomedir.so nmask=0022 skel=/etc/skel/ silent session sufficient pam_krb5.so debug session required pam_unix.so session optional pam_foreground.so </pre> ---++++ /etc/pam.d/common-password <pre> password sufficient pam_krb5.so ignore_root debug password required pam_unix.so nullok obscure min=4 max=8 md5 </pre> ---+++ Additional Configurations For CSCF Ubuntu Workstations I've included some of the changes listed here: ADAddUbuntu#Additional_Configurations_For_CS into the above. There are a few other necessary changes. ---++++ /etc/pam.d/sudo Before: <pre> root@scspc239:/etc/pam.d# cat sudo #%PAM-1.0 @include common-auth @include common-account session required pam_permit.so session required pam_limits.so </pre> After: <pre> root@scspc239:/etc/pam.d# cat sudo #%PAM-1.0 # Custom config for CSCF # lfolland (2009/10/23) # include common-auth auth sufficient pam_krb5.so forwardable ignore_root debug auth required pam_unix.so try_first_pass nullok_secure @include common-account </pre> ---++++ /etc/security/access.conf root@scspc239:/etc/pam.d# cd /etc/security root@scspc239:/etc/security# cp access.conf access.conf.orig By default, the entire file is commented out, so add the following to the end: <pre> + : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + : cscf-adm root : 129.97.0.0/16 + : staff_cscf : ALL + : users_researchgroup : ALL - : ALL : ALL </pre> Note: replace "users_researchgroup" with the group in Active Directory that contains the list of users for that research group. By convention, we will call those groups "users_name-of-group", eg: "users_watform" or "users_plg". This group will need to be created, with a permanent GID. For now, send email to accounts@cs to request group creation. If the user has no group replace users_researchgroup with the user's ID. ---+++ Update the sudoers file We'd like to provide sudo access to CSCF staff as well as the list of admin users for the specific research group <pre> #visudo # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # CS Active directory groups with sudo privileges %staff_cscf ALL=(ALL) ALL %admin_plg ALL=(ALL) ALL </pre> If the user is not in an admin group, i.e. not in PLG or AI etc., then replace %admin_plg with the user's ID without the percent sign ---+++ Additional Configurations For Enabling Single Sign On (SSO) While this may not be strictly necessary, it would be helpful to the user if they can move from one machine to another when it is in the same Kerberos realm. Practically speaking, that will be all machines setup in a way similar to this - authenticating to our Active Directory. Most of the machines in the CS Core do not *yet* do this, but it is the direction. And, certainly, as we migrate research groups to this approach it will allow easy movement between machines Reference: ADAddUbuntu#Additional_Configurations_For_En In the section: # GSSAPI options make the following changes: <pre> # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes </pre> The notes say to set =UsePAM= to yes, but that is already set, so it's ok. ---+++ Create standard Shells Our Active Directory stores the user's login shell. However, given that it was originally setup for use on the CS core servers, these are usually kept in the /xhbin directory. Therefore you will need a link to the local version of: bash, sh, csh, tcsh as a minimum. <pre> root@scspc239:~# mkdir /xhbin root@scspc239:~# which bash /bin/bash root@scspc239:~# ln -s /bin/bash /xhbin/bash root@scspc239:~# which csh /bin/csh root@scspc239:~# ln -s /bin/csh /xhbin/csh root@scspc239:~# which sh /bin/sh root@scspc239:~# ln -s /bin/sh /xhbin/sh root@scspc239:~# which tcsh /usr/bin/tcsh root@scspc239:~# ln -s /usr/bin/tcsh /xhbin/tcsh root@scspc239:~# cd /xhbin root@scspc239:/xhbin# ls -l total 0 lrwxrwxrwx 1 root root 9 2009-10-26 10:17 bash -> /bin/bash lrwxrwxrwx 1 root root 8 2009-10-26 10:17 csh -> /bin/csh lrwxrwxrwx 1 root root 7 2009-10-26 10:16 sh -> /bin/sh lrwxrwxrwx 1 root root 13 2009-10-26 10:15 tcsh -> /usr/bin/tcsh </pre> ---+++ Create home directory pointers On a typical Ubuntu system the base for home directories is /home. In the CS Active Directory, we store the absolute path used in the CS core machines. The users there are broken into nine directories: /u1 ... /u9. Also, we are used to being able to =cd /u/userid=. So, we will create pointers from u, u1-u9 into /home: <pre> root@scspc239:/xhbin# for i in u u1 u2 u3 u4 u5 u6 u7 u8 u9; do ln -s /home /$i; done root@scspc239:/xhbin# ls -ld /u* lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u1 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u2 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u3 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u4 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u5 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u6 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u7 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u8 -> /home lrwxrwxrwx 1 root root 5 2009-10-26 10:25 /u9 -> /home root@scspc239:/xhbin# </pre> This will keep all our home directories in the same place regardless of how they are created (locally or by AD login) ---+++ Test your setup Check to make sure LDAP is still working: =getent passwd someuserid= Test logging in to your new system: <pre> @cscf[104]% ssh scspc239 lfolland@scspc239's password: Warning: untrusted X11 forwarding setup failed: xauth key data not generated Warning: No xauth data; using fake authentication data for X11 forwarding. /usr/bin/X11/xauth: creating new authority file /u3/lfolland/.Xauthority lfolland@scspc239:~$ </pre> - and it works!
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r22
|
r19
<
r18
<
r17
<
r16
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r17 - 2010-09-16
-
GordBoerke
CF
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
CF Web
CF Web Home
Changes
Index
Search
Administration
Communication
Email
Hardware
HelpDeskGuide
Infrastructure
InternalProjects
Linux
MachineNotes
Macintosh
Management
Networking
Printing
Research
Security
Software
Solaris
StaffStuff
TaskGroups
TermGoals
Teaching
UserSupport
Vendors
Windows
XHier
Other Webs
CSEveryBody
Main
Sandbox
TWiki
UW
My links
People
CERAS
WatForm
Tetherless lab
Ubuntu Main.HowTo
eDocs
RGG NE notes
RGG
CS infrastructure
Grad images
Edit
Copyright © 2008-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback