Difference between revisions of "Ubuntu"

From Univention Wiki

Jump to: navigation, search
(Update to Ubuntu 14.04)
(Moved article to UCS extended documentation. Replaced content with a link to the docs)
Line 1: Line 1:
 
{{Version|UCS=3}}
 
{{Version|UCS=3}}
  
This guide describes the integration of Ubuntu into a UCS 3 domain. This configuration has been tested with Ubuntu 14.04 LTS as well as Kubuntu 14.04 LTS.
+
Documentation about integrating Ubuntu clients into a UCS 3 domain can be found in the [http://docs.univention.de/domain-3.2.html UCS extended documentation]
 
 
= LDAP and SSL configuration =
 
After Ubuntu has been installed, some of it's configuration files need to be modified. To simplify the setup, the default configuration of the UCS master domain controller should be copied to the Ubuntu system, for example:
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
# Set the IP address of the UCS DC Master
 
export MASTER_IP=192.168.0.3
 
 
 
mkdir /etc/univention
 
ssh root@${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master
 
echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
 
chmod 660 /etc/univention/ucr_master
 
. /etc/univention/ucr_master
 
 
 
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client thus needs an account in the UCS 3 domain to gain read access to the LDAP directory.
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
 
 
# Download the SSL certificate
 
mkdir -p /etc/univention/ssl/ucsCA/
 
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt
 
 
 
# Create an account and save the password
 
password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c20)"
 
if [ "$version_version" = 3.0 ] && [ "$version_patchlevel" -lt 2 ]; then
 
    ssh root@${ldap_master} udm computers/managedclient create --position "cn=computers,${ldap_base}" \
 
        --set name=$(hostname) --set password="${password}"
 
else
 
    ssh root@${ldap_master} udm computers/ubuntu create --position "cn=computers,${ldap_base}" \
 
        --set name=$(hostname) --set password="${password}" \
 
        --set operatingSystem="$(lsb_release -is)" \
 
        --set operatingSystemVersion="$(lsb_release -rs)"
 
fi
 
echo "${password}" > /etc/ldap.secret
 
 
 
# Create ldap.conf
 
cat >/etc/ldap/ldap.conf <<__EOF__
 
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
 
URI ldap://$ldap_master:7389
 
BASE $ldap_base
 
__EOF__
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
= System Security Services Daemon (SSSD) =
 
SSSD provides a set of daemons to manage access to remote directories and  authentication mechanisms.
 
 
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
 
 
# Install SSSD based configuration
 
DEBIAN_FRONTEND=noninteractive apt-get -y install sssd
 
 
 
 
 
# Create sssd.conf
 
cat >/etc/sssd/sssd.conf <<__EOF__
 
[sssd]
 
config_file_version = 2
 
reconnection_retries = 3
 
sbus_timeout = 30
 
services = nss, pam, sudo
 
domains = $kerberos_realm
 
 
 
[nss]
 
reconnection_retries = 3
 
 
 
[pam]
 
reconnection_retries = 3
 
 
 
[domain/$kerberos_realm]
 
auth_provider = krb5
 
krb5_kdcip = ${master_ip}
 
krb5_realm = ${kerberos_realm}
 
krb5_server = ${ldap_master}
 
krb5_kpasswd = ${ldap_master}
 
id_provider = ldap
 
ldap_uri = ldap://${ldap_master}:7389
 
ldap_search_base = ${ldap_base}
 
ldap_tls_reqcert = never
 
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
 
cache_credentials = true
 
enumerate = true
 
ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
 
ldap_default_authtok_type = password
 
ldap_default_authtok = $(cat /etc/ldap.secret)
 
__EOF__
 
chmod 600 /etc/sssd/sssd.conf
 
 
 
# Install auth-client-config
 
DEBIAN_FRONTEND=noninteractive apt-get -y install auth-client-config
 
 
 
# Create an auth config profile for sssd
 
cat > /etc/auth-client-config/profile.d/sss <<__EOF__
 
[sss]
 
nss_passwd=    passwd:        compat sss
 
nss_group=      group:          compat sss
 
nss_shadow=    shadow:        compat
 
nss_netgroup=  netgroup:      nis
 
 
 
pam_auth=      auth    [success=3 default=ignore]      pam_unix.so nullok_secure try_first_pass
 
                auth    requisite                      pam_succeed_if.so uid >= 500 quiet
 
                auth    [success=1 default=ignore]      pam_sss.so use_first_pass
 
                auth    requisite                      pam_deny.so
 
                auth    required                        pam_permit.so
 
 
 
pam_account=    account required                                        pam_unix.so
 
                account sufficient                                      pam_localuser.so
 
                account sufficient                                      pam_succeed_if.so uid < 500 quiet
 
                account [default=bad success=ok user_unknown=ignore]    pam_sss.so
 
                account required                                        pam_permit.so
 
 
 
pam_password=  password        sufficient      pam_unix.so obscure sha512
 
                password        sufficient      pam_sss.so use_authtok
 
                password        required        pam_deny.so
 
 
 
pam_session=    session required                        pam_mkhomedir.so skel=/etc/skel/ umask=0077
 
                session optional                        pam_keyinit.so revoke
 
                session required                        pam_limits.so
 
                session [success=1 default=ignore]      pam_sss.so
 
                session required                        pam_unix.so
 
__EOF__
 
auth-client-config -n -a -p sss
 
 
 
# Restart sssd
 
restart sssd
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
The commands <tt>getent passwd</tt> and <tt>getent group</tt> should now also display all users and groups of the UCS 3 domain.
 
 
 
= Configuring user logins =
 
The home directory of a user should be created automatically during login:
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
 
Name: activate mkhomedir
 
Default: yes
 
Priority: 900
 
Session-Type: Additional
 
Session:
 
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
 
__EOF__
 
 
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
During login users should also be added to some system groups, e.g.:
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' >>/etc/security/group.conf
 
 
 
cat >>/usr/share/pam-configs/local_groups <<__EOF__
 
Name: activate /etc/security/group.conf
 
Default: yes
 
Priority: 900
 
Auth-Type: Primary
 
Auth:
 
        required                        pam_group.so use_first_pass
 
__EOF__
 
 
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
By default Ubuntu only displays a list of local users during login.
 
After adding the following lines an arbitrary user name can be used:
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
# Add a field for a user name, disable user selection at the login screen
 
mkdir /etc/lightdm/lightdm.conf.d
 
cat >>/etc/lightdm/lightdm.conf.d/99-show-manual-userlogin.conf <<__EOF__
 
[SeatDefaults]
 
greeter-show-manual-login=true
 
greeter-hide-users=true
 
__EOF__
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
Kubuntu 14.04 has accountsservice installed so the lightdm.conf is ignored. Since there is no config file for accountsservice change the login theme to classic in System Settings -> Login Screen (LightDM) while being logged in locally.
 
 
 
With these settings the login for domain members should be possible after a restart of LightDM or a reboot.
 
 
 
= Kerberos integration =
 
Every UCS 3 domain provides a Kerberos domain. Since Kerberos relies heavily on DNS, the Ubuntu client should use a UCS system as the DNS server. The following steps show an example configuration for Kerberos:
 
<source lang=bash>
 
# Become root
 
sudo bash
 
 
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
 
 
# Install required packages
 
DEBIAN_FRONTEND=noninteractive apt-get install -y heimdal-clients
 
 
 
# Default krb5.conf
 
cat >/etc/krb5.conf <<__EOF__
 
[libdefaults]
 
    default_realm = $kerberos_realm
 
    kdc_timesync = 1
 
    ccache_type = 4
 
    forwardable = true
 
    proxiable = true
 
 
 
[realms]
 
$kerberos_realm = {
 
  kdc = $master_ip $ldap_master
 
  admin_server = $master_ip $ldap_master
 
}
 
__EOF__
 
 
 
# Stop and disable the avahi daemon
 
stop avahi-daemon
 
sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf
 
 
 
# Synchronize the time with the UCS system
 
ntpdate -bu $ldap_master
 
 
 
# Test Kerberos
 
kinit Administrator
 
 
 
# Requires domain password
 
krsh Administrator@$ldap_master ls /etc/univention
 
 
 
# Destroy the kerberos ticket
 
kdestroy
 
 
 
# Exit sudo bash
 
exit
 
</source>
 
 
 
= Limitations =
 
The password change at the graphical display manager/login screen is not possible. The password can be changed via ''kpasswd'' or via the UMC module password change.
 
 
 
= Links =
 
* Univention Forum - UCC in [http://forum.univention.de/viewforum.php?f=65 english] and [http://forum.univention.de/viewforum.php?f=64 german]
 
* https://help.ubuntu.com/community/LDAPClientAuthentication
 
* https://help.ubuntu.com/community/SingleSignOn
 
* https://help.ubuntu.com/community/PamCcredsHowto
 
* http://www.opinsys.fi/en/user-management-with-sssd-on-shared-laptops
 
  
 
[[Category:EN]]
 
[[Category:EN]]
 
[[Category:Other Operating Systems]]
 
[[Category:Other Operating Systems]]

Revision as of 08:41, 16 June 2014

Produktlogo UCS Version 3

Documentation about integrating Ubuntu clients into a UCS 3 domain can be found in the UCS extended documentation

Personal tools