Ubuntu LDAP Scripts

ubuntu-scripts

• Location: //asimov:/coregroup1/images/ubuntu-scripts
• Updated: 13 May 2011
• Install:
  1. ) login as cscf-adm
  2. ) rsync -a cscf-adm@asimov:/coregroup1/images/ubuntu-scripts .
  3. ) sudo bash
• AD Setup steps
  • Prerequisites:
    • We assume that the ./updates has been run
  1. ) cd ubuntu-scripts
  2. ) ./adsetup - follow the instructions

Debugging

• nscd can get bad data cached - stop service - delete files in /var/cache/nscd/ - restart service

What the adsetup script does

Example Setup

Example: novo.ca

Partitions required according to the context:

-  Create folders /u and /scratch   (mkdir /u /scratch )

- mount /u and /scratch
- Scripts are in \\asimov\IMAGES\ubuntu-scripts\LDAP  (replace  /scratch/novotools/ by the path were the scripts are)
- execute script createfnl

This scrip will:
  - Create folders  /xhbin
    # mkdir /u  /xhbin  /scratch
  - Create  links to /u   (/u[1-9])
      for i in 1 2 3 4 5 6 7 8 9; do ln -s /u /u$i; done
   - Create links to bash for csh, tcsh  in /xhbin
   for i in csh tcsh bash; do ln -s /bin/bash /xhbin/$i; done
   ln -s /bin/dash /xhbin/sh
   

 Reboot, and verify that /tmp, /u and /scratch are mounted
(use df -kH)
Verify that links to /u are created (/u1 .. /u9), ls -l /


9) LDAP Authentication:

- Execute:
   /scratch/novotools/inst-ldap
                            Accept all default values.
   /scratch/novotools/copy-orig
                       verify hostname -fqdn and change /etc/hosts
   /scratch/novotools/copy-nfiles       

- See section "Join the computer to the domain (AD)" 
   and create a host-user in AD 

-  Execute:   /scratch/novotools/set-krb5  novox
   This file will:
 copy krb5.keytab.novox to /etc/krb5.keytab
Initialize Kerberos client:
   kinit -k -t /etc/krb5.keytab <<HostID>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA

Verify
   # klist
   Ticket cache: FILE:/tmp/krb5cc_0
   Default principal: <<hostID-host>>/cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
08/05/09 09:35:22  08/05/09 19:35:22  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 08/06/09 09:35:22

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Verify  that LDAP Lookup Is  Working :

#ldapsearch -x -H ldap://ldap.cs.uwaterloo.ca -b dc=cs,dc=uwaterloo,dc=ca cn=username 

#getent passwd cscf-adm    OK
cscf-adm:x:1000:1000:cscf-adm,,,:/home/cscf-adm:/bin/bash
 binma:*:25805:27201:binma:/u4/binma:/xhbin/tcsh


 - Add to file /etc/sudoers  (use command visudo)
%admin_bif ALL=(ALL)  ALL
%staff_cscf ALL=(ALL)  ALL


-  Reboot and verify sudo -s

-------------------------------------
Join the computer to the domain (AD)
-------------------------------------

Create a host-user in AD 

1-  Connect to najas (as admin)
2-  Open Active Directory Users and Computers 
3-  Open CS/LinuxHosts and right-click on an empty spot
4-  From the contextual menu choose new/user 
5- Enter the user name:
      Full name: <<hostID>>-host          (example tumbo-host)
      User logon name: <<hostID>>-host   (example: tumbo-host)
      Note: the name has to end by “-host”, remove the “.cs” if present in the name.

6- Click on Next and enter the password  (Use the one created for cscf admin)
     Make sure that “Password never expires” is the only box with a check mark.

7- Click on “next”, then on “Finish”.

9- Right-click on the name of the new user and select “properties” in the menu.

11- Under the “General” tab, enter in the “Description field:
       Kerberos host principal for  (Group)  <<hostId>>.cs.uwaterloo.ca
       Example: Kerberos host principal for (watform) Tumbo.cs.uwaterloo.ca

10-Select the “account” tab and in the section “Account options” check:
      “Do not require kerberos pre-authentication “

12- Click on “Apply” and perform “create a keytab” procedure in the next section.

See “Active Directory Setup For Each Solaris Host” until “Create A User Account For The Solaris System Within The Active Directory”  
(section excluded) in   https://www.cs.uwaterloo.ca/twiki/view/CF/ADAddSolaris10#Active_Directory_Setup_For_Each

 Create A keytab File For the Linux Hosts:

On Najas open a “cmd” window (terminal). At the command prompt enter the following command making sure you replace <<hosteId>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  by  the appropriate value,
 example: watform-lab/cs.uwaterloo.ca@CS.UWATERLOO.CA 
 
ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5  -princ 
hostID-host/cs.uwaterloo.ca@CS.UWATERLOO.CA  -mapuser CS-GENERAL\hostID-host  -pass <<password-here>>  -out c:\temp\krb5.keytab.

Copy c:\temp\krb5.keytab to HostId:/etc/krb5.keytab

 Cofigure  /etc/krb5.conf
   Copy /etc/krb5.conf to /etc/krb5.conf.original 
   Replace the content of /etc/krb5.conf by krb5.conf in section “Configuration files”  of this document.

Create folder and log files:

As root, create the following folder and files:

# mkdir /var/log/krb5
# touch /var/log/krb5/kdc.log
# touch /var/log/krb5/kadmind.log

Initialize Kerberos client:
kinit -k -t /etc/krb5.keytab <<HostID>>-host/cs.uwaterloo.ca@CS.UWATERLOO.CA

 Verification:

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <<hostID-host>>/cs.uwaterloo.ca@CS.UWATERLOO.CA

Valid starting     Expires            Service principal
08/05/09 09:35:22  08/05/09 19:35:22  krbtgt/CS.UWATERLOO.CA@CS.UWATERLOO.CA
        renew until 08/06/09 09:35:22

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

------------- ----------------


=====================
Configuration files:
=====================
 /etc/ldap.conf
 /etc/nsswitch.conf
 /etc/krb5.conf

/etc/security/access.conf
/etc/ssh/sshd_config
/etc/sudoers

 /etc/pam.d/common-auth 
 /etc/pam.d/common-account 
 /etc/pam.d/common-session 
 /etc/pam.d/common-passwd or  /etc/pam.d/common-password
/etc/pam.d/sudo

========= Content of ==========
#/etc/krb5.conf
[libdefaults]
#

[libdefaults]
 default_realm = CS.UWATERLOO.CA
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
# default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
# default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
 verify_ap_req_nofail = false

[realms]
 CSCF.UWATERLOO.CA = {
   kdc = elisa.cscf.uwaterloo.ca:88
   kdc = aeshena.cscf.uwaterloo.ca:88
   kdc = glaciais.cscf.uwaterloo.ca:88
   admin_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_server = elisa.cscf.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
 }

 CS.UWATERLOO.CA = {
   kdc = intacta.cs.uwaterloo.ca:88
   kdc = serverus.cs.uwaterloo.ca:88
   kdc = viridis.cs.uwaterloo.ca:88
   admin_server = intacta.cs.uwaterloo.ca:464
   kpasswd_server = intacta.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

 STUDENT.CS.UWATERLOO.CA = {
   kdc = eponina.student.cs.uwaterloo.ca:88
   kdc = candenis.student.cs.uwaterloo.ca:88
   kdc = cyanea.student.cs.uwaterloo.ca:88   
   admin_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_server = eponina.student.cs.uwaterloo.ca:464
   kpasswd_protocol = SET_CHANGE
  }

[domain_realm]
 .cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 cscf.uwaterloo.ca = CSCF.UWATERLOO.CA
 .cs.uwaterloo.ca = CS.UWATERLOO.CA
 cs.uwaterloo.ca = CS.UWATERLOO.CA
 .student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA
 student.cs.uwaterloo.ca = STUDENT.CS.UWATERLOO.CA

[kdc]
 profile = /etc/krb5/kdc.conf

[logging]
        default = FILE:/var/log/krb5/kdc.log
        kdc = FILE:/var/log/krb5/kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log

[appdefaults]
        pam = {
         debug = true
         ticket_lifetime = 36000
         renew_lifetime = 36000
         forwardable = true
         krb4_convert = false
        }
        kinit = {
                renewable = true
                forwardable= true
        }