Difference between revisions of "Ubuntu"

From Univention Wiki

Jump to: navigation, search
 
(43 intermediate revisions by 9 users not shown)
Line 1: Line 1:
{{Version|UCS=3.0}}
+
Documentation about integrating Ubuntu clients into a UCS 3 domain can be found in the [http://docs.univention.de/domain-3.2.html UCS extended documentation]
  
This guide describes the inclusion of Ubuntu into an UCS 3 domain. This configuration has been tested with Ubuntu 12.04 LTS and Kubuntu 12.04 LTS.
+
Documentation about integrating Ubuntu clients into a UCS 4 domain can be found in the [http://docs.univention.de/domain-4.1.html UCS extended documentation]
  
= LDAP and SSL configuration =
 
After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:
 
<source lang=bash>
 
export MASTER_IP=10.201.1.1
 
 
mkdir /etc/univention
 
ssh ${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master
 
. /etc/univention/ucr_master
 
 
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
 
</source>
 
 
The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.
 
<source lang=bash>
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
 
# Download the SSL certificate
 
mkdir -p /etc/univention/ssl/ucsCA/
 
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt
 
 
# Create an account and save the password
 
password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c8)"
 
ssh root@${ldap_master} udm computers/managedclient create --position cn=computers,${ldap_base} \
 
                        --set name=$(hostname) --set password="${password}"
 
echo "${password}" > /etc/ldap.secret
 
 
# Install LDAP client tools
 
DEBIAN_FRONTEND=noninteractive apt-get install libnss-ldap ldap-utils nscd
 
 
# Create ldap.conf
 
cat >/etc/ldap/ldap.conf <<__EOF__
 
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
 
URI ldap://$ldap_master:7389
 
BASE $ldap_base
 
__EOF__
 
 
cat >/etc/ldap.conf <<__EOF__
 
uri ldap://$ldap_master:7389
 
rootbinddn cn=$(hostname),cn=computers,${ldap_base}
 
 
base ${ldap_base}
 
ldap_version 3
 
scope sub
 
ssl start_tls
 
tls_checkpeer no
 
nss_initgroups_ignoreusers root
 
__EOF__
 
 
# Activate ldap in nsswitch
 
auth-client-config -t nss -p lac_ldap
 
</source>
 
The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.
 
 
= Login =
 
To allow the users the login the Home directory should be created by the login.
 
<source lang=bash>
 
cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
 
Name: activate mkhomedir
 
Default: yes
 
Priority: 900
 
Session-Type: Additional
 
Session:
 
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
 
__EOF__
 
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
 
</source>
 
 
The users should be added to some groups during the login, for example:
 
<source lang=bash>
 
echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' >>/etc/security/group.conf
 
 
cat >>/usr/share/pam-configs/local_groups <<__EOF__
 
Name: activate /etc/security/group.conf
 
Default: yes
 
Priority: 900
 
Auth-Type: Primary
 
Auth:
 
        required                        pam_group.so use_first_pass
 
__EOF__
 
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
 
</source>
 
 
By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:
 
<source lang=bash>
 
# Add a field for a user name
 
echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf
 
 
# Optional: Disable the user selection at the login screen
 
echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf
 
</source>
 
 
With these settings the login for domain members should be possible.
 
 
= Kerberos integration =
 
An UCS 3 domain provide a Kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration
 
<source lang=bash>
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
 
# Install required packages
 
DEBIAN_FRONTEND=noninteractive apt-get install heimdal-clients libpam-heimdal
 
 
# Default krb5.conf
 
cat >/etc/krb5.conf <<__EOF__
 
[libdefaults]
 
    default_realm = $kerberos_realm
 
    kdc_timesync = 1
 
    ccache_type = 4
 
    forwardable = true
 
    proxiable = true
 
 
[realms]
 
$kerberos_realm = {
 
  kdc = $ldap_master
 
  admin_server = $ldap_master
 
}
 
__EOF__
 
 
# Stop and disable the avahi daemon
 
service avahi-daemon stop
 
sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf
 
 
# Synchronize the time with the UCS system
 
ntpdate $ldap_master
 
 
# Test Kerberos
 
kinit Administrator
 
 
# This login shouldn't ask for a password
 
ssh Administrator@$ldap_master ls /etc/univention
 
 
# Destroy the kerberos ticket
 
kdestroy
 
</source>
 
 
= Authentication caching =
 
Cached credentials are helpful, if no UCS domain controller could be reached. It could be activated by executing the following steps:
 
<source lang=bash>
 
# Install packages
 
DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds
 
 
# Dump the LDAP data
 
nss_updatedb ldap
 
 
# Call it every day
 
cat >/etc/cron.daily/upd-local-nss-db <<__EOF__
 
#!/bin/sh
 
`which nss_updatedb` ldap
 
__EOF__
 
chmod +x /etc/cron.daily/upd-local-nss-db
 
 
# Added NOTFOUND case for ldap in nsswitch.conf
 
sed -i 's|^passwd: .*|passwd: files ldap [NOTFOUND=return] db|; \
 
        s|^group: .*|group: files ldap [NOTFOUND=return] db|' /etc/nsswitch.conf
 
 
# Skip pam_ldap if user_unknown or authinfo_unavail as well
 
sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \
 
      /etc/pam.d/common-account
 
</source>
 
 
= Links =
 
* https://help.ubuntu.com/community/LDAPClientAuthentication
 
* https://help.ubuntu.com/community/SingleSignOn
 
* https://help.ubuntu.com/community/PamCcredsHowto
 
 
[[Category:EN]]
 
[[Category:EN]]
 +
[[Category:Other Operating Systems]]

Latest revision as of 13:12, 2 June 2016

Documentation about integrating Ubuntu clients into a UCS 3 domain can be found in the UCS extended documentation

Documentation about integrating Ubuntu clients into a UCS 4 domain can be found in the UCS extended documentation

Personal tools