Ubuntu installation with CERN LDAP IT-CS users, kerberos authentication and afs home directories

1 Configure NTP

A reasonably precise date is required by the kerberos pam authentication, hence the best solution is to setup NTP

Use CERN NTP servers

sudo service ntp status
sudo apt-get install -y ntp
sudo sed -i.orig -e 's/\(server [0-9]\)/#\1/' -e '/# Specify one or more NTP servers/aserver ip-time-1.cern.ch\nserver ip-time-2.cern.ch' /etc/ntp.conf
diff /etc/ntp.conf*

If the time drift is too big, do a manual sync

sudo service ntp stop
sudo ntpdate ip-time-1.cern.ch
sudo service ntp start

2 Configure LDAP for user accounts


sudo apt-get install -y libpam-ldap nscd
# answer all default values, and don't make local root Database admin

# apply slc5 example file from the CERN Linux ref above to /etc/ldap.conf

# auto configure /etc/nsswitch.conf for ldap
sudo auth-client-config -t nss -p lac_ldap

# The following command should include all it-dep-cs users
getent passwd

# Make sure that all non-standard shells of the users are instaleld on the machine
sudo apt-get install -y tcsh zsh

# Restart nscd
/etc/init.d/nscd restart

2.1 Assign local groups to users

Add a local group for "network power users":

addgroup --gid 950 network

Get the pam module working

# create the following /usr/share/pam-configs/groups-ldap file
echo "Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
        required                        pam_group.so use_first_pass" > /usr/share/pam-configs/groups-ldap

# activate it (equivalent to editing /etc/pam.d/common-auth)

Assign local groups to users in /etc/security/group.conf

# Group memership: 
#  - list of a power user groups: adm,cdrom,sudo,dip,plugdev,libvirtd,lpadmin,sambashare
#  - for /dev/tty user access via mincom/kermit: dialout

# Power users (via ldap login)

# All users (for ldap login)

3 Configure SUDO

As root do
# aliases
echo "## Command Aliases

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/sbin/ufw, /sbin/iwconfig, /sbin/mii-tool, /sbin/ethtool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/apt-get, /usr/bin/dpkg

## Services
Cmnd_Alias SERVICES = /usr/sbin/service, /sbin/staus, /etc/init.d/*

## Processes
Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe, /sbin/rmmod

## Logs
Cmnd_Alias LOGS = /usr/bin/less /var/log/*, /usr/bin/tail /var/log/*" > /etc/sudoers.d/00-aliases

# groups
echo "%network  ALL = LOG_INPUT: NETWORKING, SOFTWARE, SERVICES, PROCESSES, LOGS" > /etc/sudoers.d/10-groups

# fix permissions
chmod 440 /etc/sudoers.d/*

4 Kerberos configuration

Please see CERN Kerberos access documentation

Basic kerberos Client/User configuration

sudo apt-get install -y krb5-user
# the realm name is CERN.CH

# Edit =/etc/krb5.conf= according to CERN Kerberos access

# Try and get a ticket
kinit sstancu@CERN.CH

Configure kerberos based user authentication (see Ubuntu Kerberos documentation)

# Install Kerberos client packages:
sudo apt-get install -y libpam-krb5 libpam-ccreds auth-client-config
# where:
#  - libpam-krb5        # PAM plugin for kerberos
#  - libpam-ccreds      # cache credentials for login with no network access
#  - auth-client-config # python script to aid in auth.  config.

# Disable kerberos authentication for local users (uid 1000 to 1010)
sudo sed -i -e 's/minimum_uid=1000/minimum_uid=1010/' /usr/share/pam-configs/krb5

# Auto-generate all /etc/pam.d/common-* files
sudo pam-auth-update

5 Install openafs and auto aklog at login users with afs home directories

sudo apt-get install -y openafs-client openafs-modules-dkms openafs-krb5
#    - afs cell: "cern.ch"
#    - cache size: 524288
sudo service openafs-client start

# Check that it works:
kinit <user>@CERN.CH     # get kerberos ticket
aklog                  # login to AFS cell
touch /afs/cern.ch/user/s/<user>/foo

# automatically aklog after kerberos login authentication
sudo apt-get install -y libpam-afs-session
sudo pam-auth-update

6 Passwordless ssh with kerberos tickets

References: CERN Kerberos access documentation ,OpenSSH kerberos ,Kerberos Single Sign On

6.1 Server side

Make sure you have a recent msktutil (v > 4.2). On ubuntu you can compile from sources after installing the required dependenceis:

sudo apt-get install -y libkrb53 libsasl2-modules-gssapi-mit build-essential libkrb5-dev libldap2-dev libsasl2-dev
cd msktutil-source-dir
make && make install

Make sure that hostanme -f returns the FQDN

# edit /etc/hostname to contain your FQDN hostname 

hostname -F /etc/hostname
hostname --fqdn

Acquire a keytab for the host service (http://linux.web.cern.ch/linux/docs/kerberos-access.shtml#msktutil):

# obtain hostname and passwd and wait for DC servers sync
KRB_RESULT=`mktemp /tmp/krb-result.XXXXXX`
curl -k --local-port 600-700 https://lxkerbwin.cern.ch/LxKerb.asmx/ResetComputerPassword?service=host > $KRB_RESULT
KRB_HOSTNAME=`perl -ne 'if(m@<hostname>(.*)</hostname>@){print $1;}' < $KRB_RESULT`
KRB_PASSWD=`perl -ne 'if(m@<computerpassword>(.*)</computerpassword>@){print $1;}' < $KRB_RESULT`
sleep 20

# get a real server domain name
CERNDC=`dig -t SRV _kerberos._tcp.cern.ch | perl -ne 'if(/_kerberos._tcp.cern.ch..*\s(cerndc.*.cern.ch)\./i){print $1; exit}'`

# as root, get a new host service keytab. It will be added to /etc/krb5.keytab
msktutil --update --dont-expire-password --server $CERNDC --computer-name $KRB_HOSTNAME --service host --old-account-password $KRB_PASSWD

# Check that the KVNOs in the keytab are in sync with those on CERN.CH
sudo klist -k -t -e 
    # note the KVNOs of the locak keytab entries
kvno host/<hostname>.cern.ch@CERN.CH
    # should have the same numbers as local keytab entries

Turn on GSSAPIAuthentication on the ssh server:

  • in /etc/ssh/sshd_config set GSSAPIAuthentication yes
  • restart ssh: sudo service ssh restart

6.2 Client side

# append the following to ~/.ssh/config . You may add other host-name wildcards
echo "HOST lxplus* vo-*
    # GSSAPITrustDns yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes" >> ~/.ssh/config

6.3 Troubleshooting

Turn on debugging

# on the server
sudo /usr/sbin/sshd -p 2222 -d

# on the client
ssh p 2222 -vvv <hostname>

If you get No key table entry found matching host/@... it's most likely because 'hostname -f' doesn't return the fqdn.

-- StefanStancu - 25-Jun-2012

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r5 - 2015-08-03 - StefanStancu
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback