(r17) SettingUpADGradPCs < CF

CF Web>Research>ResearchGroups>ProgrammingLanguages>SettingUpADGradPCs (revision 17) (raw view)~~EditAttach~~
---+ Setting up a !GradPC using the CS-GENERAL Active Directory

---++ Background
This page documents the setup of a *standard grad PC with the X2GEN010.gho image* to use the CS Active Directory.  I'm following the notes here: ADAddUbuntu and ADAddSolaris10.  The headings in this document will mirror those in the two referenced documents.  What follows is a detailed step-by-step set of instructions.  The other two documents provide background and theory that this does not attempt to duplicate.  They should be referenced if you run into anything that doesn't go as expected.  In the examples below, we are setting up scspc239.cs.  Adjust the commands for the machine you are working with.

%TOC%

---++ Initial Steps
The command:
=ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=lfolland= worked out-of-the-box

---+++ Requisite Software
In CF.ADAddUbuntu it says the following are needed:
    * ldap-utils $sudo apt-get -y install ldap-utils
    * krb5-user $sudo apt-get -y install krb5-user
    * libnss-ldap $sudo apt-get -y install libnss-ldap
    * libpam-krb5 $sudo apt-get -y install libpam-krb5
    * libpam-foreground $sudo apt-get -y install libpam-foreground
    * ntp $sudo apt-get install ntp

They all seem to be installed, so I'll skip that unless needed:

<pre>
cscf-adm@scspc239:~$ dpkg -l|egrep "ldap-utils|krb5-user|libnss-ldap|libpam-krb5|libpam-foreground|ntp"
ii  krb5-user                                  1.6.dfsg.4~beta1-5ubuntu2                 Basic programs to authenticate using MIT Kerberos
ii  ldap-utils                                 2.4.15-1ubuntu3                           OpenLDAP utilities
ii  libnss-ldap                                261-2.1ubuntu1                            NSS module for using LDAP as a naming service
ii  libpam-foreground                          0.5                                       create lockfiles describing which users own which console
ii  libpam-krb5                                3.13-2ubuntu1                             PAM module for MIT Kerberos
ii  ntp                                        1:4.2.4p4+dfsg-7ubuntu5.1                 Network Time Protocol daemon and utility programs
ii  ntpdate                                    1:4.2.4p4+dfsg-7ubuntu5.1                 client for setting system time from NTP servers

Also openssh-server is required.
</pre>

---+++ Configuration Of The Ubuntu NSS (Network Services Switch) 
Before:
<pre>
root@scspc239:~# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
...
passwd:         compat
group:          compat
shadow:         compat

...

</pre>

After:
<pre>
root@scspc239:~# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
...
passwd:         files ldap
group:          files ldap
shadow:         files ldap

...
</pre>

---++++ DNS configuration 
It says that the following should appear:
=hosts: dns files=

Not sure if this is ok or not (this is what we have by default):
=hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4=
which says to search files before dns - is that a problem?

Checking /etc/hostname and /etc/hosts:

Before:
<pre>
root@scspc239:~# cat /etc/hostname
scspc239.cs
root@scspc239:~# cat /etc/hosts
127.0.0.1   scspc239.cs   localhost.localdomain   localhost
127.0.1.1   scspc239.cs
...
</pre>

After:
<pre>
root@scspc239:~# cat /etc/hosts
129.97.169.219 scspc239.cs scspc239.cs.uwaterloo.ca
127.0.0.1   scspc239.cs   localhost.localdomain   localhost
127.0.1.1   scspc239.cs
...
</pre>

---+++ Configuration Of Ubuntu LDAP Client
We now need to update /etc/ldap.conf

You will need to update /etc/ldap.conf as per CF.ADAddUbuntu#Configuration_Of_Ubuntu_LDAP_Cli

In particular, you will need to fix the "base" and "uri" lines, and then uncomment all of the lines in the =# RFC 2307 (AD) mappings= section, note that you need to put "memberUid" rather than "member" as it is in the file (not sure why)
(ie: =nss_map_attribute uniqueMember memberUid= ) also you will need to add the line: =nss_map_attribute cn displayName=

Also, I removed the line ##DEBCONF## at the begininning and editted the file manually as I couldn't find exactly what utility would be used to update the file using dpkg-reconfigure

Before:
<pre>
root@scspc239:~# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=example,dc=net
uri ldapi:///
ldap_version 3
rootbinddn cn=manager,dc=example,dc=net
pam_password md5
nss_initgroups_ignoreusers Debian-exim,avahi,avahi-autoipd,backup,bin,daemon,davfs2,debian-xfs,distccd,festival,fetchmail,games,gdm,gnats,haldaemon,hplip,irc,klog,libuuid,list,lp,mail,man,messagebus,news,ntp,polkituser,proxy,pulse,root,saned,snmp,sshd,sync,sys,syslog,uucp,vde2-net,www-data
</pre>

After:
<pre>
root@scspc239:/etc# egrep -v '(^$|^#)' /etc/ldap.conf
base dc=cs,dc=uwaterloo,dc=ca
uri ldap://ldap.cs.uwaterloo.ca/
ldap_version 3
bind_policy soft
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember memberUid
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
</pre>

So, at this point, we should be able to test using:
=getent passwd username=

<pre>
root@scspc239:/etc/X11# getent passwd lfolland
lfolland:*:1234:1234:Lawrence Folland,DC 2563:/u3/lfolland:/xhbin/bash
</pre>

And just checking the group information:
<pre>
root@scspc239:/etc/X11# getent group | grep "^lfolland"
lfolland:*:1234:
</pre>

---+++ Configuration Of The Ubuntu Kerberos Client 
=apt-get -y install ntp= (unnecessary in X2GEN010.GHO image)

update /etc/ntp.conf

Before:
<pre>
# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com
</pre>

After:
<pre>
# You do need to talk to an NTP server or two (or three).
server ntp.student.cs.uwaterloo.ca
server ntp.cs.uwaterloo.ca
server ntp.ubuntu.com
</pre>

Restart NTP:
<pre>
root@scspc239:/etc/X11# /etc/init.d/ntp stop
 * Stopping NTP server ntpd
   ...done.
root@scspc239:/etc/X11# ntpdate ntp.student.cs.uwaterloo.ca
22 Oct 11:50:39 ntpdate[563]: adjust time server 129.97.152.10 offset -0.134501 sec
root@scspc239:/etc/X11# /etc/init.d/ntp start
 * Starting NTP server ntpd
   ...done.
</pre>

---+++ Creation Of Active Directory Kerberos Credentials For The Ubuntu Computer 
Note: following the directions here:  https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each
which has a lot of the background info

   * login to najas.cs (our AD server) with your -adm account (admin privilges)
   * Start -> Programs -> Administrative Tools -> Active Directory Users and Computers
   * Navigate to cs.uwaterloo.ca -> CS -> Linux Hosts
   * Right-click on Linux Hosts and choose New -> User (yes, User)
   * if the machine you are creating is called "scspc239.cs", enter "scspc239-host" as the "Full name" and the "Userlogon name", click Next
   * Use a complex password (we have handy stickers for that purpose).  You will need to know this password later.
   * Uncheck "User must change password at next login"
   * Click Next, then Finish.  It should now show up in the list of Linux Hosts
   * Right-click on your new machine-host record and click "Properties", or just double-click on the item
   * Click on the Account tab
   * Scroll down the list of Account options and check "Do not require Kerberos preauthentication"
   * Click on the General tab and enter something like "Kerberos host principal for Linux host scspc239.cs.uwaterloo.ca" in the Description then click "Ok"

---+++ Create A keytab File for the Ubuntu Host
On najas.cs, open a command window and enter the following all on a single command line.  In the following example, the machine we're setting up is "scspc239".  The password you used previously goes where it says "yourpasswordhere":

=ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA -mapuser CS-GENERAL\scspc239-host -pass yourpasswordhere -out c:\temp\krb5.keytab=

Output:
<pre>
Targeting domain controller: intacta.cs.uwaterloo.ca
Successfully mapped host/scspc239.cs.uwaterloo.ca to scspc239-host.
Key created.
Output keytab to c:\temp\krb5.keytab:
Keytab version: 0x502
keysize 72 host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x
51dfd67a4a899729)
Account scspc239-host has been set for DES-only encryption.
</pre>

You now need to copy that resulting file (c:\temp\krb5.keytab) to the machine you're setting up.  I used the SSH Client, connect to the machine I'm setting up (scspc239), then clicked on the File Transfer Window and copied the files over.  It needs to go here: /etc/krb5.keytab on the new system (not /etc/krb5/krb5.keytab as it would be in Solaris).  Make sure the permissions are 600:  =# chmod 600 /etc/krb5.keytab= and owned by root:  =chown root:root /etc/krb5.keytab=

---+++ Configure The Ubuntu Kerberos Client 
Copy the entire /etc/krb5.conf file to replace the existing version.  You can find it here: https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete

---+++ Initialize the Kerberos client
In this case, we're setting up scspc239.cs, so the command is:
=#kinit -k -t /etc/krb5.keytab host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA=
<pre>
If it fails with message: kinit: KDC has no support for encryption type while getting initial credentials

Use another encryption method. From the notes https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#etc_krb5_conf_complete  (replace computername with scspc239 and KVNO_number with the actual number e.g. 4)

   1. Obtain the KVNO number for the host's SPN from the existing keytab file with the command klist -k -t /etc/krb5.keytab
   2. Set aside the existing keytab file by renaming it
   3. Enter the ktutil command to enter into the ktutil interface
   4. Within the ktutil interface, create a new key entry and write it back to /etc/krb5.keytab
          * addent -password -p host/computername.cs.uwaterloo.ca@CS.UWATERLOO.CA -k KVNO_number -e rc4-hmac
          * At the password prompt supply the password for the Active Directory computername-host account
          * wkt /etc/krb5.keytab
          * q (quit command)

Interesting that this may not fix it until the properties in najas for scspc239-host are adjusted by removing the DES encryption check in Properties (right-click):Account tab:Account Options.
</pre>

---++++ Success?
Run the =klist= command.  You should see something similar to:
<pre>
root@scspc239:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/scspc239.cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
10/22/09 16:37:35  10/23/09 02:37:35  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 10/23/09 16:37:35


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
</pre>

---+++ Configuration Of The Ubuntu PAM Stack
Reference: ADAddUbuntu#Configuration_Of_The_Ubuntu_PAM

I started by making a backup of all of the config files:
<pre>
# cd /etc/pam.d
# for i in common-auth  common-account common-session common-password sudo; do cp $i $i.orig; done
</pre>

Update all of the following files so that all other lines are commented out, and then add the indicated lines to the bottom of the file (I usually add a comment line before that to refer to this being a CSCF custom config and the date and author)

---++++ /etc/pam.d/common-auth
<pre>
auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
account  required        pam_access.so
</pre>

---++++ /etc/pam.d/common-account
<pre>
account     sufficient    pam_ldap.so debug
account     required      pam_unix.so
</pre>

---++++ /etc/pam.d/common-session
<pre>
session required      pam_mkhomedir.so nmask=0022 skel=/etc/skel/ silent
session sufficient  pam_krb5.so debug
session required  pam_unix.so
session optional  pam_foreground.so
</pre>

---++++ /etc/pam.d/common-password
<pre>
password   sufficient pam_krb5.so ignore_root debug
password   required   pam_unix.so nullok obscure min=4 max=8 md5
</pre>

---+++ Additional Configurations For CSCF Ubuntu Workstations 
I've included some of the changes listed here: ADAddUbuntu#Additional_Configurations_For_CS into the above.  There are a few other necessary changes.

---++++ /etc/pam.d/sudo
Before:
<pre>
root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0

@include common-auth
@include common-account

session required pam_permit.so
session required pam_limits.so
</pre>

After:
<pre>
root@scspc239:/etc/pam.d# cat sudo
#%PAM-1.0

# Custom config for CSCF
# lfolland (2009/10/23)
# include common-auth
auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
@include common-account
</pre>

---++++ /etc/security/access.conf
root@scspc239:/etc/pam.d# cd /etc/security
root@scspc239:/etc/security# cp access.conf access.conf.orig
By default, the entire file is commented out, so add the following to the end:
<pre>
+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : 129.97.0.0/16
+ : staff_cscf : ALL
+ : users_researchgroup : ALL
- : ALL : ALL
</pre>
Note: replace "users_researchgroup" with the group in Active Directory that contains the list of users for that research group.  By convention, we will call those groups "users_name-of-group", eg: "users_watform" or "users_plg".  This group will need to be created, with a permanent GID.  For now, send email to accounts@cs to request group creation. If the user has no group replace users_researchgroup with the user's ID.

---+++ Update the sudoers file
We'd like to provide sudo access to CSCF staff as well as the list of admin users for the specific research group

<pre>
#visudo

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# CS Active directory groups with sudo privileges
%staff_cscf ALL=(ALL) ALL
%admin_plg ALL=(ALL) ALL
</pre>

If the user is not in an admin group, i.e. not in PLG or AI etc., then replace %admin_plg with the user's ID without the percent sign

---+++ Additional Configurations For Enabling Single Sign On (SSO) 
While this may not be strictly necessary, it would be helpful to the user if they can move from one machine to another when it is in the same Kerberos realm.  Practically speaking, that will be all machines setup in a way similar to this - authenticating to our Active Directory.  Most of the machines in the CS Core do not *yet* do this, but it is the direction.  And, certainly, as we migrate research groups to this approach it will allow easy movement between machines

Reference: ADAddUbuntu#Additional_Configurations_For_En

In the section: # GSSAPI options
make the following changes:
<pre>
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
</pre>

The notes say to set =UsePAM= to yes, but that is already set, so it's ok.

---+++ Create standard Shells
Our Active Directory stores the user's login shell.  However, given that it was originally setup for use on the CS core servers, these are usually kept in the /xhbin directory.  Therefore you will need a link to the local version of: bash, sh, csh, tcsh as a minimum.

<pre>
root@scspc239:~# mkdir /xhbin
root@scspc239:~# which bash
/bin/bash
root@scspc239:~# ln -s /bin/bash /xhbin/bash
root@scspc239:~# which csh
/bin/csh
root@scspc239:~# ln -s /bin/csh /xhbin/csh
root@scspc239:~# which sh
/bin/sh
root@scspc239:~# ln -s /bin/sh /xhbin/sh
root@scspc239:~# which tcsh
/usr/bin/tcsh
root@scspc239:~# ln -s /usr/bin/tcsh /xhbin/tcsh
root@scspc239:~# cd /xhbin
root@scspc239:/xhbin# ls -l
total 0
lrwxrwxrwx 1 root root  9 2009-10-26 10:17 bash -> /bin/bash
lrwxrwxrwx 1 root root  8 2009-10-26 10:17 csh -> /bin/csh
lrwxrwxrwx 1 root root  7 2009-10-26 10:16 sh -> /bin/sh
lrwxrwxrwx 1 root root 13 2009-10-26 10:15 tcsh -> /usr/bin/tcsh
</pre>

---+++ Create home directory pointers
On a typical Ubuntu system the base for home directories is /home.  In the CS Active Directory, we store the absolute path used in the CS core machines.  The users there are broken into nine directories: /u1 ... /u9.  Also, we are used to being able to =cd /u/userid=.  So, we will create pointers from u, u1-u9 into /home:

<pre>
root@scspc239:/xhbin#  for i in u u1 u2 u3 u4 u5 u6 u7 u8 u9; do ln -s /home /$i; done
root@scspc239:/xhbin# ls -ld /u*
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u1 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u2 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u3 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u4 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u5 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u6 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u7 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u8 -> /home
lrwxrwxrwx  1 root root    5 2009-10-26 10:25 /u9 -> /home
root@scspc239:/xhbin# 
</pre>

This will keep all our home directories in the same place regardless of how they are created (locally or by AD login)

---+++ Test your setup
Check to make sure LDAP is still working:
=getent passwd someuserid=

Test logging in to your new system:
<pre>
@cscf[104]% ssh scspc239
lfolland@scspc239's password: 
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
/usr/bin/X11/xauth:  creating new authority file /u3/lfolland/.Xauthority
lfolland@scspc239:~$ 
</pre>
 - and it works!
Topic revision: r17 - 2010-09-16 - GordBoerke
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit