Ubuntu Basics

This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.

We're working with Ubuntu 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)

hosts file

For machines with static IP addresses where you want SSH gssapi-keyex authentication support.

Replace any entries in /etc/hosts which map the hostname to 127.0.0.1 (e.g. 127.0.0.1 crocodile) with a correct full entry, e.g.:

129.215.202.190 crocodile.inf.ed.ac.uk crocodile

Kerberos

apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit

• Kerberos realm config for Informatics:
  

The default configuration will usually work but if you need to tweak it you can using:

dpkg-reconfigure -plow krb5-config

(or manually replace /etc/krb5.conf with the local site version copied from SL7).

Whilst we don't have the kerberos component you need to create the host principal manually:

kadmin -p username/admin
ank -randkey host/example.inf.ed.ac.uk
ktadd -k /etc/krb5.keytab host/example.inf.ed.ac.uk

sssd

apt install libnss-sss sssd-tools libsasl2-modules-ldap

Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.

Start the sssd server: systemctl start sssd (it might already be started in which case a restart will be needed). You can test this by looking up data for your username by using something like getent passwd ...

LDAP

If you want the various ldap tools to work (e.g. ldapsearch) then you need to create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).

SSH

Install the openssh-server package (if not already there):

apt install openssh-server

Then edit the options in /etc/ssh/sshd_config to include those below:

ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem   sftp   /usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStoreCredentialsOnRekey yes
UseDNS yes

The GSSAPI settings are necessary for single-sign-on support. the UseDNS option is necessary if you want to use pam_access to restrict access based on origin.

Restart the ssh server: systemctl restart ssh

AFS

Install the packages:

apt install openafs-client openafs-krb5 libpam-afs-session

• AFS Cell config for Informatics:
  

That will take a while as it builds the afs kernel module.

Start the openafs client: systemctl start openafs-client

PAM

This can be manually configured using the pam-auth-update tool.

• pam auth config for Informatics:
  

Note that 'SSS authentication' is intentionally disabled, we're only using it for cached access to data stored in our LDAP server. We could do our authentication using that module but currently we prefer to use 'Kerberos authentication'.

mail

By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with:

apt install postfix

The default config seems to "just work".

-- squinney - 2019-06-19

Comments

%COMMENT%