Ubuntu
From Univention Wiki
This guide describes the inclusion of Ubuntu into an UCS 3 domain. This configuration has been tested with Ubuntu 12.04 LTS and Kubuntu 12.04 LTS.
Contents
LDAP and SSL configuration
After Ubuntu has been installed, the default basis configuration must be done. For an easy use, the default configuration of the UCS Master should be copied to the Ubuntu system, for example:
export MASTER_IP=10.201.1.1 mkdir /etc/univention ssh ${MASTER_IP} ucr shell | grep -v ^hostname= >/etc/univention/ucr_master . /etc/univention/ucr_master echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts
The anonymous LDAP search is disabled by default in UCS 3. The Ubuntu client needs an account in the UCS 3 domain to get read access to the LDAP directory.
# Set some environment variables . /etc/univention/ucr_master # Download the SSL certificate mkdir -p /etc/univention/ssl/ucsCA/ wget -O /etc/univention/ssl/ucsCA/CAcert.pem http://${ldap_master}/ucs-root-ca.crt # Create an account and save the password password="$(< /dev/urandom tr -dc A-Za-z0-9_ | head -c8)" ssh root@${ldap_master} udm computers/managedclient create --position cn=computers,${ldap_base} \ --set name=$(hostname) --set password="${password}" echo "${password}" > /etc/ldap.secret # Install LDAP client tools DEBIAN_FRONTEND=noninteractive apt-get install libnss-ldap ldap-utils nscd # Create ldap.conf cat >/etc/ldap/ldap.conf <<__EOF__ TLS_CACERT /etc/univention/ssl/ucsCA/CAcert.pem URI ldap://$ldap_master:7389 BASE $ldap_base __EOF__ cat >/etc/ldap.conf <<__EOF__ uri ldap://$ldap_master:7389 rootbinddn cn=$(hostname),cn=computers,${ldap_base} base ${ldap_base} ldap_version 3 scope sub ssl start_tls tls_checkpeer no nss_initgroups_ignoreusers root __EOF__ # Activate ldap in nsswitch auth-client-config -t nss -p lac_ldap
The commands getent passwd and getent group should now also display all users and groups of the UCS 3 domain.
Login
To allow the users the login the Home directory should be created by the login.
cat >/usr/share/pam-configs/ucs_mkhomedir <<__EOF__ Name: activate mkhomedir Default: yes Priority: 900 Session-Type: Additional Session: required pam_mkhomedir.so umask=0022 skel=/etc/skel __EOF__ DEBIAN_FRONTEND=noninteractive pam-auth-update
The users should be added to some groups during the login, for example:
echo '*;*;*;Al0000-2400;audio,cdrom,dialout,floppy,plugdev' >>/etc/security/group.conf cat >>/usr/share/pam-configs/local_groups <<__EOF__ Name: activate /etc/security/group.conf Default: yes Priority: 900 Auth-Type: Primary Auth: required pam_group.so use_first_pass __EOF__ DEBIAN_FRONTEND=noninteractive pam-auth-update
By default Ubuntu (12.04 LTS) shows only local users at the login screen. After adding the following line a user name can be added:
# Add a field for a user name echo "greeter-show-manual-login=true" >>/etc/lightdm/lightdm.conf # Optional: Disable the user selection at the login screen echo "greeter-hide-users=true" >>/etc/lightdm/lightdm.conf
With these settings the login for domain members should be possible.
Kerberos integration
An UCS 3 domain provide a Kerberos domain. The Ubuntu client should use the UCS 3 DNS server, because Kerberos relies heavily on DNS. The following steps show an example configuration
# Set some environment variables . /etc/univention/ucr_master # Install required packages DEBIAN_FRONTEND=noninteractive apt-get install heimdal-clients libpam-heimdal # Default krb5.conf cat >/etc/krb5.conf <<__EOF__ [libdefaults] default_realm = $kerberos_realm kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] $kerberos_realm = { kdc = $ldap_master admin_server = $ldap_master } __EOF__ # Stop and disable the avahi daemon service avahi-daemon stop sed -i 's|start on (|start on (never and |' /etc/init/avahi-daemon.conf # Synchronize the time with the UCS system ntpdate $ldap_master # Test Kerberos kinit Administrator # This login shouldn't ask for a password ssh Administrator@$ldap_master ls /etc/univention # Destroy the kerberos ticket kdestroy
Authentication caching
Cached credentials are helpful, if no UCS domain controller could be reached. It could be activated by executing the following steps:
# Install packages DEBIAN_FRONTEND=noninteractive apt-get install nss-updatedb libnss-db libpam-ccreds # Dump the LDAP data nss_updatedb ldap # Call it every day cat >/etc/cron.daily/upd-local-nss-db <<__EOF__ #!/bin/sh `which nss_updatedb` ldap __EOF__ chmod +x /etc/cron.daily/upd-local-nss-db # Added NOTFOUND case for ldap in nsswitch.conf sed -i 's|^passwd: .*|passwd: files ldap [NOTFOUND=return] db|; \ s|^group: .*|group: files ldap [NOTFOUND=return] db|' /etc/nsswitch.conf # Skip pam_ldap if user_unknown or authinfo_unavail as well sed -i 's/^\(account.*\[success=\)\(.\)\(.*pam_ldap.so\)/\1\2 user_unknown=\2 authinfo_unavail=\2 \3/' \ /etc/pam.d/common-account