Difference between revisions of "Ubuntu"

From Univention Wiki

Jump to: navigation, search
m (Highlighting)
Line 5: Line 5:
 
= LDAP and SSL configuration =
 
= LDAP and SSL configuration =
 
After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:
 
After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:
<pre>
+
<source lang=bash>
 
export MASTER_IP=10.201.1.1
 
export MASTER_IP=10.201.1.1
  
Line 13: Line 13:
  
 
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
 
echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
</pre>
+
</source>
  
 
The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.
 
The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.
<pre>
+
<source lang=bash>
 
# Set some environment variables
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
. /etc/univention/ucr_master
Line 54: Line 54:
 
# Activate ldap in nsswitch
 
# Activate ldap in nsswitch
 
auth-client-config -t nss -p lac_ldap
 
auth-client-config -t nss -p lac_ldap
</pre>
+
</source>
 
The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.
 
The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.
  
 
= Login =
 
= Login =
 
To allow the users the login the Home directory should be created by the login.
 
To allow the users the login the Home directory should be created by the login.
<pre>
+
<source lang=bash>
 
cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
 
cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
 
Name: activate mkhomedir
 
Name: activate mkhomedir
Line 70: Line 70:
  
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
 
DEBIAN_FRONTEND=noninteractive pam-auth-update
</pre>
+
</source>
  
 
The users should be added to some groups during the login, for example:
 
The users should be added to some groups during the login, for example:
<pre>
+
<source lang=bash>
 
echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev' >>/etc/security/group.conf
 
echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev' >>/etc/security/group.conf
  
Line 86: Line 86:
  
 
DEBIAN_FRONTEND=noninteractive pam-auth-update  
 
DEBIAN_FRONTEND=noninteractive pam-auth-update  
</pre>
+
</source>
  
 
By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:
 
By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:
<pre>
+
<source lang=bash>
 
# Add a field for a user name
 
# Add a field for a user name
 
echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf
 
echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf
Line 95: Line 95:
 
# Optional: Disable the user selection at the login screen
 
# Optional: Disable the user selection at the login screen
 
echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf
 
echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf
</pre>
+
</source>
  
 
With these settings the login for domain members should be possible.
 
With these settings the login for domain members should be possible.
Line 101: Line 101:
 
= Kerberos integration =
 
= Kerberos integration =
 
An UCS 3 domain provide a Kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration
 
An UCS 3 domain provide a Kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration
<pre>
+
<source lang=bash>
 
# Set some environment variables
 
# Set some environment variables
 
. /etc/univention/ucr_master
 
. /etc/univention/ucr_master
Line 139: Line 139:
 
# Destroy the kerberos ticket
 
# Destroy the kerberos ticket
 
kdestroy
 
kdestroy
</pre>
+
</source>
  
 
= Authentication caching =
 
= Authentication caching =
 
Cached credentials are helpful, if no UCS domain controller could be reached. It could be activated by executing the following steps:
 
Cached credentials are helpful, if no UCS domain controller could be reached. It could be activated by executing the following steps:
<pre>
+
<source lang=bash>
 
# Install packages
 
# Install packages
 
DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds  
 
DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds  
Line 164: Line 164:
 
sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \
 
sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \
 
       /etc/pam.d/common-account
 
       /etc/pam.d/common-account
</pre>
+
</source>
  
 
= Links =
 
= Links =

Revision as of 06:15, 11 June 2012

Produktlogo UCS Version 3.0

This guide describes the inclusion of Ubuntu into an UCS 3 domain. This configuration has been tested with Ubuntu 12.04 LTS and Kubuntu 12.04 LTS.

LDAP and SSL configuration

After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:

export MASTER_IP=10.201.1.1

mkdir /etc/univention
ssh ${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master
. /etc/univention/ucr_master

echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts

The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.

# Set some environment variables
. /etc/univention/ucr_master

# Download the SSL certificate
mkdir -p /etc/univention/ssl/ucsCA/
wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt

# Create an account and save the password
password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c8)"
ssh root@${ldap_master} udm computers/managedclient create --position cn=computers,${ldap_base} \
                        --set name=$(hostname) --set password="${password}"
echo "${password}" > /etc/ldap.secret

# Install LDAP client tools
DEBIAN_FRONTEND=noninteractive apt-get install libnss-ldap ldap-utils nscd

# Create ldap.conf
cat >/etc/ldap/ldap.conf <<__EOF__
TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
URI ldap://$ldap_master:7389
BASE $ldap_base
__EOF__

cat >/etc/ldap.conf <<__EOF__
uri ldap://$ldap_master:7389
rootbinddn cn=$(hostname),cn=computers,${ldap_base}

base ${ldap_base}
ldap_version 3
scope sub
ssl start_tls
tls_checkpeer no
nss_initgroups_ignoreusers root
__EOF__

# Activate ldap in nsswitch
auth-client-config -t nss -p lac_ldap

The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.

Login

To allow the users the login the Home directory should be created by the login.

cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
__EOF__

DEBIAN_FRONTEND=noninteractive pam-auth-update

The users should be added to some groups during the login, for example:

echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev' >>/etc/security/group.conf

cat >>/usr/share/pam-configs/local_groups <<__EOF__
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
        required                        pam_group.so use_first_pass
__EOF__

DEBIAN_FRONTEND=noninteractive pam-auth-update

By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:

# Add a field for a user name
echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf

# Optional: Disable the user selection at the login screen
echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf

With these settings the login for domain members should be possible.

Kerberos integration

An UCS 3 domain provide a Kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration

# Set some environment variables
. /etc/univention/ucr_master

# Install required packages
DEBIAN_FRONTEND=noninteractive apt-get install heimdal-clients libpam-heimdal

# Default krb5.conf
cat >/etc/krb5.conf <<__EOF__
[libdefaults]
    default_realm = $kerberos_realm
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

[realms]
$kerberos_realm = {
   kdc = $ldap_master
   admin_server = $ldap_master
}
__EOF__

# Stop and disable the avahi daemon
service avahi-daemon stop
sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf

# Synchronize the time with the UCS system
ntpdate $ldap_master

# Test Kerberos
kinit Administrator

# This login shouldn't ask for a password
ssh Administrator@$ldap_master ls /etc/univention

# Destroy the kerberos ticket
kdestroy

Authentication caching

Cached credentials are helpful, if no UCS domain controller could be reached. It could be activated by executing the following steps:

# Install packages
DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds 

# Dump the LDAP data
nss_updatedb ldap

# Call it every day
cat >/etc/cron.daily/upd-local-nss-db <<__EOF__
#!/bin/sh
`which nss_updatedb` ldap
__EOF__
chmod +x /etc/cron.daily/upd-local-nss-db

# Added NOTFOUND case for ldap in nsswitch.conf
sed -i 's|^passwd: .*|passwd: files ldap [NOTFOUND=return] db|; \
        s|^group: .*|group: files ldap [NOTFOUND=return] db|' /etc/nsswitch.conf

# Skip pam_ldap if user_unknown or authinfo_unavail as well
sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \
       /etc/pam.d/common-account

Links

Personal tools