Tags:
create new tag
view all tags

Ubuntu Basics

This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.

We're working with Ubuntu 19.04 disco dingo, we will move onto 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)

hosts file

Replace any entries in /etc/hosts which map the hostname to 127.0.0.1 (e.g. 127.0.0.1 crocodile) with a correct full entry, e.g.: 

129.215.202.190 crocodile.inf.ed.ac.uk crocodile

Without this, for some reason, SSH gssapi-keyex authentication will not work.

Krb5 

apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit

As root edit /etc/krb5.conf to add the following to the [domain_realm] section: 

  inf.ed.ac.uk  =  INF.ED.AC.UK 
  .inf.ed.ac.uk  =  INF.ED.AC.UK

and also add this to the [realms] section: 

  INF.ED.AC.UK = {
    admin_server = kdc.inf.ed.ac.uk:749
    default_domain = inf.ed.ac.uk
  }

Whilst we don't have the kdcregister tool you need to create the host principal manually: 

kadmin -p username/admin
ank -randkey host/example.inf.ed.ac.uk
ktadd -k /etc/krb5.keytab host/example.inf.ed.ac.uk

sssd 

apt install libnss-sss sssd-tools libsasl2-modules-ldap

Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.

Start the sssd server: systemctl start sssd

LDAP

Create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).

SSH

Install the openssh-server package (if not already there): 

apt install openssh-server

Then edit the options in /etc/ssh/sshd_config to match those below. 

ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIKeyExchange yes
GSSAPIStoreCredentialsOnRekey yes
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
PasswordAuthentication no
PermitRootLogin prohibit-password
Protocol 2
PubkeyAuthentication no
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UseDNS yes
UsePAM yes
X11Forwarding yes

Restart the ssh server: systemctl restart ssh

AFS

Install the packages: 

apt install openafs-client openafs-krb5 libpam-afs-session

That will take a while as it builds the afs kernel module.

Start the openafs client: systemctl start openafs-client

PAM

The /etc/pam.d/common-account file needs to be replaced with the following: 

account  required  pam_krb5.so minimum_uid=1000
account  required  pam_unix.so
account   required   pam_access.so    
account   required   pam_permit.so

mail

By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with: 

apt install postfix

The default config seems to "just work".

-- squinney - 2019-06-19

Comments

%COMMENT%

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | More topic actions
Topic revision: r4 - 2019-07-24 - squinney
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback