|
|
| (30 intermediate revisions by 7 users not shown) |
| Line 1: |
Line 1: |
| − | {{Version|UCS=3.0}}
| + | Documentation about integrating Ubuntu clients into a UCS 3 domain can be found in the [http://docs.univention.de/domain-3.2.html UCS extended documentation] |
| | | | |
| − | This guide describes the inclusion of Ubuntu into an UCS 3 domain. This configuration has been tested with Ubuntu 12.04 LTS and Kubuntu 12.04 LTS.
| + | Documentation about integrating Ubuntu clients into a UCS 4 domain can be found in the [http://docs.univention.de/domain-4.1.html UCS extended documentation] |
| − | | |
| − | = LDAP and SSL configuration =
| |
| − | After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:
| |
| − | <source lang=bash>
| |
| − | export MASTER_IP=192.168.0.3
| |
| − | | |
| − | mkdir /etc/univention
| |
| − | ssh ${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master
| |
| − | echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
| |
| − | . /etc/univention/ucr_master
| |
| − | | |
| − | echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
| |
| − | </source>
| |
| − | | |
| − | The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.
| |
| − | <source lang=bash>
| |
| − | # Set some environment variables
| |
| − | . /etc/univention/ucr_master
| |
| − | | |
| − | # Download the SSL certificate
| |
| − | mkdir -p /etc/univention/ssl/ucsCA/
| |
| − | wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt
| |
| − | | |
| − | # Create an account and save the password
| |
| − | password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c8)"
| |
| − | ssh root@${ldap_master} udm computers/managedclient create --position cn=computers,${ldap_base} \
| |
| − | --set name=$(hostname) --set password="${password}"
| |
| − | echo "${password}" > /etc/ldap.secret
| |
| − | | |
| − | # Create ldap.conf
| |
| − | cat >/etc/ldap/ldap.conf <<__EOF__
| |
| − | TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem
| |
| − | URI ldap://$ldap_master:7389
| |
| − | BASE $ldap_base
| |
| − | __EOF__
| |
| − | </source>
| |
| − | | |
| − | = System Security Services Daemon (SSSD) =
| |
| − | SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms.
| |
| − | | |
| − | <source lang=bash>
| |
| − | # Set some environment variables
| |
| − | . /etc/univention/ucr_master | |
| − | | |
| − | # Install SSSD based configuration
| |
| − | DEBIAN_FRONTEND=noninteractive apt-get install sssd
| |
| − | | |
| − | | |
| − | # Create sssd.conf
| |
| − | cat >/etc/sssd/sssd.conf <<__EOF__
| |
| − | [sssd]
| |
| − | config_file_version = 2
| |
| − | reconnection_retries = 3
| |
| − | sbus_timeout = 30
| |
| − | services = nss, pam, sudo
| |
| − | domains = $kerberos_realm
| |
| − | | |
| − | [nss]
| |
| − | reconnection_retries = 3
| |
| − | | |
| − | [pam]
| |
| − | reconnection_retries = 3
| |
| − | | |
| − | [domain/$kerberos_realm]
| |
| − | auth_provider = krb5
| |
| − | krb5_kdcip = ${master_ip}
| |
| − | krb5_realm = ${kerberos_realm}
| |
| − | krb5_server = ${ldap_master}
| |
| − | krb5_kpasswd = ${ldap_master}
| |
| − | id_provider = ldap
| |
| − | ldap_uri = ldap://${ldap_master}:7389
| |
| − | ldap_search_base = ${ldap_base}
| |
| − | ldap_tls_reqcert = never
| |
| − | ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
| |
| − | cache_credentials = true
| |
| − | enumerate = true
| |
| − | ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
| |
| − | ldap_default_authtok_type = password
| |
| − | ldap_default_authtok = $(cat /etc/ldap.secret)
| |
| − | __EOF__
| |
| − | chmod 600 /etc/sssd/sssd.conf
| |
| − | | |
| − | # Install auth-client-config
| |
| − | DEBIAN_FRONTEND=noninteractive apt-get install auth-client-config
| |
| − | | |
| − | # Create an auth config profile for sssd
| |
| − | cat > /etc/auth-client-config/profile.d/sss <<__EOF__
| |
| − | [sss]
| |
| − | nss_passwd= passwd: compat sss
| |
| − | nss_group= group: compat sss
| |
| − | nss_shadow= shadow: compat
| |
| − | nss_netgroup= netgroup: nis
| |
| − | | |
| − | pam_auth= auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
| |
| − | auth requisite pam_succeed_if.so uid >= 500 quiet
| |
| − | auth [success=1 default=ignore] pam_sss.so use_first_pass
| |
| − | auth requisite pam_deny.so
| |
| − | auth required pam_permit.so
| |
| − | | |
| − | pam_account= account required pam_unix.so
| |
| − | account sufficient pam_localuser.so
| |
| − | account sufficient pam_succeed_if.so uid < 500 quiet
| |
| − | account [default=bad success=ok user_unknown=ignore] pam_sss.so
| |
| − | account required pam_permit.so
| |
| − | | |
| − | pam_password= password sufficient pam_unix.so obscure sha512
| |
| − | password sufficient pam_sss.so use_authtok
| |
| − | password required pam_deny.so
| |
| − | | |
| − | pam_session= session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
| |
| − | session optional pam_keyinit.so revoke
| |
| − | session required pam_limits.so
| |
| − | session [success=1 default=ignore] pam_sss.so
| |
| − | session required pam_unix.so
| |
| − | __EOF__
| |
| − | auth-client-config -n -a -p sss
| |
| − | | |
| − | # Start sssd
| |
| − | service sssd start
| |
| − | </source>
| |
| − | | |
| − | The commands <tt>getent passwd</tt> and <tt>getent group</tt> should now also display all users and groups of the UCS 3 domain.
| |
| − | | |
| − | = Login =
| |
| − | To allow the users the login the home directory should be created by the login.
| |
| − | <source lang=bash>
| |
| − | cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__
| |
| − | Name: activate mkhomedir
| |
| − | Default: yes
| |
| − | Priority: 900
| |
| − | Session-Type: Additional
| |
| − | Session:
| |
| − | required pam_mkhomedir.so umask=0022 skel=/etc/skel
| |
| − | __EOF__
| |
| − | | |
| − | DEBIAN_FRONTEND=noninteractive pam-auth-update
| |
| − | </source>
| |
| − | | |
| − | The users should be added to some groups during the login, for example:
| |
| − | <source lang=bash>
| |
| − | echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev,adm' >>/etc/security/group.conf
| |
| − | | |
| − | cat >>/usr/share/pam-configs/local_groups <<__EOF__
| |
| − | Name: activate /etc/security/group.conf
| |
| − | Default: yes
| |
| − | Priority: 900
| |
| − | Auth-Type: Primary
| |
| − | Auth:
| |
| − | required pam_group.so use_first_pass
| |
| − | __EOF__
| |
| − | | |
| − | DEBIAN_FRONTEND=noninteractive pam-auth-update
| |
| − | </source>
| |
| − | | |
| − | By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:
| |
| − | <source lang=bash>
| |
| − | # Add a field for a user name
| |
| − | echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf
| |
| − | | |
| − | # Optional: Disable the user selection at the login screen
| |
| − | echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf
| |
| − | </source>
| |
| − | | |
| − | With these settings the login for domain members should be possible.
| |
| − | | |
| − | = Kerberos integration =
| |
| − | An UCS 3 domain provides a kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration
| |
| − | <source lang=bash>
| |
| − | # Set some environment variables
| |
| − | . /etc/univention/ucr_master
| |
| − | | |
| − | # Install required packages
| |
| − | DEBIAN_FRONTEND=noninteractive apt-get install heimdal-clients
| |
| − | | |
| − | # Default krb5.conf
| |
| − | cat >/etc/krb5.conf <<__EOF__
| |
| − | [libdefaults]
| |
| − | default_realm = $kerberos_realm
| |
| − | kdc_timesync = 1
| |
| − | ccache_type = 4
| |
| − | forwardable = true
| |
| − | proxiable = true
| |
| − | | |
| − | [realms]
| |
| − | $kerberos_realm = {
| |
| − | kdc = $MASTER_IP $ldap_master
| |
| − | admin_server = $MASTER_IP $ldap_master
| |
| − | }
| |
| − | __EOF__
| |
| − | | |
| − | # Stop and disable the avahi daemon
| |
| − | service avahi-daemon stop
| |
| − | sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf
| |
| − | | |
| − | # Synchronize the time with the UCS system
| |
| − | ntpdate $ldap_master
| |
| − | | |
| − | # Test Kerberos
| |
| − | kinit Administrator
| |
| − | | |
| − | # This login shouldn't ask for a password
| |
| − | ssh Administrator@$ldap_master ls /etc/univention
| |
| − | | |
| − | # Destroy the kerberos ticket
| |
| − | kdestroy
| |
| − | </source>
| |
| − | | |
| − | = Links =
| |
| − | * https://help.ubuntu.com/community/LDAPClientAuthentication
| |
| − | * https://help.ubuntu.com/community/SingleSignOn
| |
| − | * https://help.ubuntu.com/community/PamCcredsHowto
| |
| | | | |
| | [[Category:EN]] | | [[Category:EN]] |
| | [[Category:Other Operating Systems]] | | [[Category:Other Operating Systems]] |
