UbuntuLdap < CF

CF Web>UbuntuLdap (2011-01-20, RonaldoGarcia)
-- RonaldoGarcia - 19 Jan 2011
- Ubuntu Ldap Setup
Ubuntu Ladp Scripts
Ubuntu Ldap Setup

REF:  https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddUbuntu#Introduction

Install: ldap-utils, krb5-user, libnss-ldap, libpam-krb5, libpam-foreground, ntp

    $sudo apt-get -y install ldap-utils
    $sudo apt-get -y install krb5-user
   
   Kerberos server name …. Leave it blank, click on <OK>

    $sudo apt-get -y install libnss-ldap

      Will ask for the following information (in the first line change ildapi by ldap)
        uri ldap://ldap.cs.uwaterloo.ca/
        base dc=cs,dc=uwaterloo,dc=ca
        LDAP version to use    3
        Make local root Database admin         <No>
        Does the LDAP database require login?  <No>

    $sudo apt-get -y install libpam-krb5
    $sudo apt-get -y install libpam-foreground
    $sudo apt-get install ntp

-------------------------
IMPORTANT: Make a copy of each file and add or replace the content of each file by the following.
-------------------------

Copy   cp /etc/nsswitch.conf /etc/nsswitch.conf.original

 Replace in: /etc/nsswitch.conf
 
passwd:       files ldap
group:        files ldap
shadow:       files ldap

hosts:         dns files
networks:      files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

----------------------------------
LDAP.CONF
----------------------------------
Rename ldap.conf files   :  #mv /etc/ldap/ldap.conf /etc/ldap/ldap.conf.orig
       And:  :  #mv /etc/ldap.conf /etc/ldap.conf.orig

Create (new)   /etc/ldap.conf   # echo > /etc/ldap.conf

Edit  /etc/ldap.conf       #nano /etc/ldap.conf  copy the following lines

base dc=cs,dc=uwaterloo,dc=ca
uri ldap://ldap.cs.uwaterloo.ca/
ldap_version 3
bind_policy soft
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad


Create symbolic link for /etc/ldap.conf   in  /etc/ldap/  :  ln -s /etc/ldap.conf /etc/ldap/

root@pedernales:/# ls -l /etc/ldap
Should display:     ldap.conf  ldap.conf.orig

------------------
Use this command to get uncommented lines only:
egrep -v '(^$|^#)' /etc/ldap.conf 
------------------

DNS configuration
Make sure that  #hostname --fqdn    retunrs
<<serverId>>.cs.uwaterloo.ca

If not, add to /etc/hosts:
<<Host IP>>      <<serverId>>.cs.uwaterloo.ca <<serverId>>.cs <<serverId>>

Time Server
Copy  /etc/ntp.conf  to  /etc/ntp.conf.org :   cp /etc/ntp.conf /etc/ntp.conf.org

Configure /etc/ntp.conf

Add the following lines near the beginning of /etc/ntp.conf 
     server ntp.student.cs.uwaterloo.ca
    server ntp.cs.uwaterloo.ca

Then run this commands:
     /etc/init.d/ntp stop
     ntpdate ntp.cs.uwaterloo.ca
     /etc/init.d/ntp start

---------------------------------
 
Join the computer to the domain (AD)
Create a host-user in AD 

1-  Connect to najas (as admin)
2-  Open Active Directory Users and Computers 
3-  Open CS/LinuxHosts and right-click on an empty spot
4-  From the contextual menu choose new/user 
5- Enter the user name:
      Full name: <<hostID>>-host          (example tumbo-host)
      User logon name: <<hostID>>-host   (example: tumbo-host)
      Note: the name has to end by “-host”, remove the “.cs” if present in the name.

6- Click on Next and enter the password  (Use the one created for cscf admin)
     Make sure that “Password never expires” is the only box with a check mark.

7- Click on “next”, then on “Finish”.

9- Right-click on the name of the new user and select “properties” in the menu.

11- Under the “General” tab, enter in the “Description field:
       Kerberos host principal for  (Group)  <<hostId>>.cs.uwaterloo.ca
       Example: Kerberos host principal for (watform) Tumbo.cs.uwaterloo.ca

10-Select the “account” tab and in the section “Account options” check:
      “Do not require kerberos pre-authentication “

12- Click on “Apply” and perform “create a keytab” procedure in the next section.

See “Active Directory Setup For Each Solaris Host” until “Create A User Account For The Solaris System Within The Active Directory”  
(section excluded) in  https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each

 Create A keytab File For the Linux Hosts:

On Najas open a “cmd” window (terminal). At the command prompt enter the following command making sure you replace
<<hosteId>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  by  the appropriate value, example: watform-host/cs.uwaterloo.ca@CS.UWATERLOO.CA 
 
ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5  -princ 
hostID-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  -mapuser CS-GENERAL\hostID-host  -pass <<password-here>>  -out c:\temp\krb5.keytab.

Copy c:\temp\krb5.keytab to HostId:/etc/krb5.keytab

 Cofigure  /etc/krb5.conf
–   Copy /etc/krb5.conf to /etc/krb5.conf.original 
–   Replace the content of /etc/krb5.conf by krb5.conf in section “Configuration files”  of this document.

 
Create folder and log files:

As root, create the following folder and files:

# mkdir /var/log/krb5
# touch /var/log/krb5/kdc.log
# touch /var/log/krb5/kadmind.log

Initialize Kerberos client:
kinit -k -t /etc/krb5.keytab <<HostID>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA

 Verification:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <<hostID-host>>/cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
08/05/09 09:35:22  08/05/09 19:35:22  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 08/06/09 09:35:22

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

------------- ----------------

Create folder  /etc/Pamoriginals  and   Make copies of :  /etc/nsswitch.conf and /etc/pam.d/* 

cp /etc/nsswitch.conf /etc/Pamoriginals/
cp /etc/pam.d/*  /etc/Pamoriginals/

If already created, move krb5.conf.original  ldap.conf.orig  nsswitch.conf.original 
To /etc/Pamoriginals/  (mv  /etc/*.ori*  /etc/Pamoriginals/


Configuration Of The Ubuntu PAM Stack:

Replace the content of the following files by (uncommented lines):

/etc/pam.d/common-auth:
auth        sufficient      pam_krb5.so forwardable ignore_root debug
auth        required       pam_unix.so try_first_pass nullok_secure
account     required      pam_access.so


/etc/pam.d/common-account:
account sufficient    pam_ldap.so debug
account required     pam_unix.so


/etc/pam.d/common-session:
session required   pam_mkhomedir.so mask=0022 skel=/etc/skel/ silent
session sufficient  pam_krb5.so debug
session required   pam_unix.so
session optional    pam_foreground.so

/etc/pam.d/common-passwd 
(if this file doesn't exists, use  /etc/pam.d/common-password)
#Prepend this lines:
password   sufficient pam_krb5.so ignore_root debug
password   required   pam_unix.so nullok obscure min=4 max=8 md5


Verify  that LDAP Lookup Is  Working :

#ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=username 

#getent passwd cscf-adm    OK
cscf-adm:x:1000:1000:cscf-adm,,,:/home/cscf-adm:/bin/bash

Optional: Go to DC3558 and try to log as rgarcia, and cs-general/rgarcia

#tail -f /var/log/auth.log

Edit  /etc/pam.d/sudo:

[Very important to comment the line include common-auth]

#  @include common-auth
auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
@include common-account


 Edit /etc/ssh/sshd_config, it should have:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes


 Add at the beginning of file /etc/security/access.conf

# Login access control table.
+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : 129.97.15.0/24
+ : staff_cscf : 129.97.0.0/16
+ : users_watform : ALL
+ : admin_watform : ALL
-: ALL : ALL

 Add to file /etc/sudoers  (use command visudo)
%admin_watform ALL=(ALL)  ALL
%staff_cscf ALL=(ALL)  ALL

 Test  (ssh) login as xyz
 Test  sudo -s 
 Test  tail -f /var/log/auth.log


========== ===========
Configuration files:
=====================
 /etc/ldap.conf
 /etc/nsswitch.conf
 /etc/krb5.conf

/etc/security/access.conf
/etc/ssh/sshd_config
/etc/sudoers

 /etc/pam.d/common-auth 
 /etc/pam.d/common-account 
 /etc/pam.d/common-session 
 /etc/pam.d/common-passwd or  /etc/pam.d/common-password
/etc/pam.d/sudo


#/etc/krb5.conf
[libdefaults]
#

[libdefaults]
 default_realm = CS.UWATERLOO.CA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
# default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
 verify_ap_req_nofail = false

[realms]
 CSCF.UWATERLOO.CA = {
   kdc = elisa.cscf.uwaterloo.ca:88
   kdc = aeshena.cscf.uwaterloo.ca:88
   kdc = glaciais.cscf.uwaterloo.ca:88
   admin_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
 }

 CS.UWATERLOO.CA = {
   kdc = intacta.cs.uwaterloo.ca:88
   kdc = serverus.cs.uwaterloo.ca:88
   kdc = viridis.cs.uwaterloo.ca:88
   admin_server = intacta.cs.uwaterloo.ca:464
   kpasswd_server = intacta.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

 STUDENT.CS.UWATERLOO.CA = {
   kdc = eponina.student.cs.uwaterloo.ca:88
   kdc = candenis.student.cs.uwaterloo.ca:88
   kdc = cyanea.student.cs.uwaterloo.ca:88   
   admin_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

[domain_realm]
 .cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 .cs.uwaterloo.ca = CS.UWATERLOO.CA
 cs.uwaterloo.ca = CS.UWATERLOO.CA
 .student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
 student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA

[kdc]
 profile = /etc/krb5/kdc.conf

[logging]
        default = FILE:/var/log/krb5/kdc.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
         debug = true
         ticket_lifetime = 36000
         renew_lifetime = 36000
         forwardable = true
         krb4_convert = false
        }
        kinit = {
                renewable = true
                forwardable= true
        }

=====================
Ubuntu Ladp Scripts

UbuntuLdapScripts - Scripts for setting up LDAP on Ubuntu Machines
Topic revision: r2 - 2011-01-20 - RonaldoGarcia
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit