-- RonaldoGarcia - 19 Jan 2011

Ubuntu Ldap Setup


REF:  https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddUbuntu#Introduction

Install: ldap-utils, krb5-user, libnss-ldap, libpam-krb5, libpam-foreground, ntp

    $sudo apt-get -y install ldap-utils
    $sudo apt-get -y install krb5-user
   
   Kerberos server name …. Leave it blank, click on <OK>

    $sudo apt-get -y install libnss-ldap

      Will ask for the following information (in the first line change ildapi by ldap)
        uri ldap://ldap.cs.uwaterloo.ca/
        base dc=cs,dc=uwaterloo,dc=ca
        LDAP version to use    3
        Make local root Database admin         <No>
        Does the LDAP database require login?  <No>

    $sudo apt-get -y install libpam-krb5
    $sudo apt-get -y install libpam-foreground
    $sudo apt-get install ntp

-------------------------
IMPORTANT: Make a copy of each file and add or replace the content of each file by the following.
-------------------------

Copy   cp /etc/nsswitch.conf /etc/nsswitch.conf.original

 Replace in: /etc/nsswitch.conf
 
passwd:       files ldap
group:        files ldap
shadow:       files ldap

hosts:         dns files
networks:      files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

----------------------------------
LDAP.CONF
----------------------------------
Rename ldap.conf files   :  #mv /etc/ldap/ldap.conf /etc/ldap/ldap.conf.orig
       And:  :  #mv /etc/ldap.conf /etc/ldap.conf.orig

Create (new)   /etc/ldap.conf   # echo > /etc/ldap.conf

Edit  /etc/ldap.conf       #nano /etc/ldap.conf  copy the following lines

base dc=cs,dc=uwaterloo,dc=ca
uri ldap://ldap.cs.uwaterloo.ca/
ldap_version 3
bind_policy soft
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute cn displayName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad


Create symbolic link for /etc/ldap.conf   in  /etc/ldap/  :  ln -s /etc/ldap.conf /etc/ldap/

root@pedernales:/# ls -l /etc/ldap
Should display:     ldap.conf  ldap.conf.orig

------------------
Use this command to get uncommented lines only:
egrep -v '(^$|^#)' /etc/ldap.conf 
------------------

DNS configuration
Make sure that  #hostname --fqdn    retunrs
<<serverId>>.cs.uwaterloo.ca

If not, add to /etc/hosts:
<<Host IP>>      <<serverId>>.cs.uwaterloo.ca <<serverId>>.cs <<serverId>>

Time Server
Copy  /etc/ntp.conf  to  /etc/ntp.conf.org :   cp /etc/ntp.conf /etc/ntp.conf.org

Configure /etc/ntp.conf

Add the following lines near the beginning of /etc/ntp.conf 
     server ntp.student.cs.uwaterloo.ca
    server ntp.cs.uwaterloo.ca

Then run this commands:
     /etc/init.d/ntp stop
     ntpdate ntp.cs.uwaterloo.ca
     /etc/init.d/ntp start

---------------------------------
 
Join the computer to the domain (AD)
Create a host-user in AD 

1-  Connect to najas (as admin)
2-  Open Active Directory Users and Computers 
3-  Open CS/LinuxHosts and right-click on an empty spot
4-  From the contextual menu choose new/user 
5- Enter the user name:
      Full name: <<hostID>>-host          (example tumbo-host)
      User logon name: <<hostID>>-host   (example: tumbo-host)
      Note: the name has to end by “-host”, remove the “.cs” if present in the name.

6- Click on Next and enter the password  (Use the one created for cscf admin)
     Make sure that “Password never expires” is the only box with a check mark.

7- Click on “next”, then on “Finish”.

9- Right-click on the name of the new user and select “properties” in the menu.

11- Under the “General” tab, enter in the “Description field:
       Kerberos host principal for  (Group)  <<hostId>>.cs.uwaterloo.ca
       Example: Kerberos host principal for (watform) Tumbo.cs.uwaterloo.ca

10-Select the “account” tab and in the section “Account options” check:
      “Do not require kerberos pre-authentication “

12- Click on “Apply” and perform “create a keytab” procedure in the next section.

See “Active Directory Setup For Each Solaris Host” until “Create A User Account For The Solaris System Within The Active Directory”  
(section excluded) in  https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each

 Create A keytab File For the Linux Hosts:

On Najas open a “cmd” window (terminal). At the command prompt enter the following command making sure you replace
<<hosteId>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  by  the appropriate value, example: watform-host/cs.uwaterloo.ca@CS.UWATERLOO.CA 
 
ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5  -princ 
hostID-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  -mapuser CS-GENERAL\hostID-host  -pass <<password-here>>  -out c:\temp\krb5.keytab.

Copy c:\temp\krb5.keytab to HostId:/etc/krb5.keytab

 Cofigure  /etc/krb5.conf
–   Copy /etc/krb5.conf to /etc/krb5.conf.original 
–   Replace the content of /etc/krb5.conf by krb5.conf in section “Configuration files”  of this document.

 
Create folder and log files:

As root, create the following folder and files:

# mkdir /var/log/krb5
# touch /var/log/krb5/kdc.log
# touch /var/log/krb5/kadmind.log

Initialize Kerberos client:
kinit -k -t /etc/krb5.keytab <<HostID>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA

 Verification:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <<hostID-host>>/cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
08/05/09 09:35:22  08/05/09 19:35:22  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 08/06/09 09:35:22

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

------------- ----------------

Create folder  /etc/Pamoriginals  and   Make copies of :  /etc/nsswitch.conf and /etc/pam.d/* 

cp /etc/nsswitch.conf /etc/Pamoriginals/
cp /etc/pam.d/*  /etc/Pamoriginals/

If already created, move krb5.conf.original  ldap.conf.orig  nsswitch.conf.original 
To /etc/Pamoriginals/  (mv  /etc/*.ori*  /etc/Pamoriginals/


Configuration Of The Ubuntu PAM Stack:

Replace the content of the following files by (uncommented lines):

/etc/pam.d/common-auth:
auth        sufficient      pam_krb5.so forwardable ignore_root debug
auth        required       pam_unix.so try_first_pass nullok_secure
account     required      pam_access.so


/etc/pam.d/common-account:
account sufficient    pam_ldap.so debug
account required     pam_unix.so


/etc/pam.d/common-session:
session required   pam_mkhomedir.so mask=0022 skel=/etc/skel/ silent
session sufficient  pam_krb5.so debug
session required   pam_unix.so
session optional    pam_foreground.so

/etc/pam.d/common-passwd 
(if this file doesn't exists, use  /etc/pam.d/common-password)
#Prepend this lines:
password   sufficient pam_krb5.so ignore_root debug
password   required   pam_unix.so nullok obscure min=4 max=8 md5


Verify  that LDAP Lookup Is  Working :

#ldapsearch -x -H ldap://ldap.cs -b dc=cs,dc=uwaterloo,dc=ca cn=username 

#getent passwd cscf-adm    OK
cscf-adm:x:1000:1000:cscf-adm,,,:/home/cscf-adm:/bin/bash

Optional: Go to DC3558 and try to log as rgarcia, and cs-general/rgarcia

#tail -f /var/log/auth.log

Edit  /etc/pam.d/sudo:

[Very important to comment the line include common-auth]

#  @include common-auth
auth  sufficient      pam_krb5.so forwardable ignore_root debug
auth  required        pam_unix.so try_first_pass nullok_secure
@include common-account


 Edit /etc/ssh/sshd_config, it should have:

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes


 Add at the beginning of file /etc/security/access.conf

# Login access control table.
+ : root cscf-adm : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : cscf-adm root : 129.97.15.0/24
+ : staff_cscf : 129.97.0.0/16
+ : users_watform : ALL
+ : admin_watform : ALL
-: ALL : ALL

 Add to file /etc/sudoers  (use command visudo)
%admin_watform ALL=(ALL)  ALL
%staff_cscf ALL=(ALL)  ALL

 Test  (ssh) login as xyz
 Test  sudo -s 
 Test  tail -f /var/log/auth.log


========== ===========
Configuration files:
=====================
 /etc/ldap.conf
 /etc/nsswitch.conf
 /etc/krb5.conf

/etc/security/access.conf
/etc/ssh/sshd_config
/etc/sudoers

 /etc/pam.d/common-auth 
 /etc/pam.d/common-account 
 /etc/pam.d/common-session 
 /etc/pam.d/common-passwd or  /etc/pam.d/common-password
/etc/pam.d/sudo


#/etc/krb5.conf
[libdefaults]
#

[libdefaults]
 default_realm = CS.UWATERLOO.CA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
# default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
 verify_ap_req_nofail = false

[realms]
 CSCF.UWATERLOO.CA = {
   kdc = elisa.cscf.uwaterloo.ca:88
   kdc = aeshena.cscf.uwaterloo.ca:88
   kdc = glaciais.cscf.uwaterloo.ca:88
   admin_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
 }

 CS.UWATERLOO.CA = {
   kdc = intacta.cs.uwaterloo.ca:88
   kdc = serverus.cs.uwaterloo.ca:88
   kdc = viridis.cs.uwaterloo.ca:88
   admin_server = intacta.cs.uwaterloo.ca:464
   kpasswd_server = intacta.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

 STUDENT.CS.UWATERLOO.CA = {
   kdc = eponina.student.cs.uwaterloo.ca:88
   kdc = candenis.student.cs.uwaterloo.ca:88
   kdc = cyanea.student.cs.uwaterloo.ca:88   
   admin_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

[domain_realm]
 .cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 .cs.uwaterloo.ca = CS.UWATERLOO.CA
 cs.uwaterloo.ca = CS.UWATERLOO.CA
 .student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
 student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA

[kdc]
 profile = /etc/krb5/kdc.conf

[logging]
        default = FILE:/var/log/krb5/kdc.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
         debug = true
         ticket_lifetime = 36000
         renew_lifetime = 36000
         forwardable = true
         krb4_convert = false
        }
        kinit = {
                renewable = true
                forwardable= true
        }

=====================

Ubuntu Ladp Scripts

Edit | Attach | Watch | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2011-01-20 - RonaldoGarcia
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback