Ubuntu Basics
This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.
We're working with Ubuntu 19.10
eoan ermine with an aim to finally settle on the next LTS (20.04
something beginning with f)
hosts file
For machines with static IP addresses where you want SSH
gssapi-keyex
authentication support.
Replace any entries in
/etc/hosts
which map the hostname to 127.0.0.1 (e.g.
127.0.0.1 crocodile
) with a correct full entry, e.g.:
129.215.202.190 crocodile.inf.ed.ac.uk crocodile
Kerberos
apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit
- Kerberos realm config for Informatics:
The default configuration will usually work but if you need to tweak it you can using:
dpkg-reconfigure -plow krb5-config
(or manually replace
/etc/krb5.conf
with the local site version copied from SL7).
Whilst we don't have the kerberos component you need to create the host principal manually:
kadmin -p username/admin
ank -randkey host/example.inf.ed.ac.uk
ktadd -k /etc/krb5.keytab host/example.inf.ed.ac.uk
sssd
apt install libnss-sss sssd-tools libsasl2-modules-ldap
Copy the
/etc/sssd/sssd.conf
(and on DICE also the cert file
/etc/pki/tls/certs/dice-sixkts-2018.crt
) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the
/etc/ssl/certs
directory, if using that location don't forget to update the
sssd.conf
file.
Start the sssd server:
systemctl start sssd
(it might already be started in which case a
restart
will be needed). You can test this by looking up data for your username by using something like
getent passwd ...
LDAP
If you want the various ldap tools to work (e.g. ldapsearch) then you need to create
/etc/ldap/ldap.conf
to be the same as
/etc/openldap/ldap.conf
on SL7 (similarly you might need to edit the
TLS_CACERT
for the change in directory).
SSH
Install the
openssh-server
package (if not already there):
apt install openssh-server
Then edit the options in
/etc/ssh/sshd_config
to include those below:
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStoreCredentialsOnRekey yes
UseDNS yes
The GSSAPI settings are necessary for single-sign-on support. the
UseDNS
option is necessary if you want to use pam_access to restrict access based on origin.
Restart the ssh server:
systemctl restart ssh
AFS
Install the packages:
apt install openafs-client openafs-krb5 libpam-afs-session
- AFS Cell config for Informatics:
That will take a while as it builds the afs kernel module.
Start the openafs client:
systemctl start openafs-client
PAM
This can be manually configured using the
pam-auth-update
tool.
- pam auth config for Informatics:
Note that 'SSS authentication' is intentionally disabled, we're only using it for cached access to data stored in our LDAP server. We
could do our authentication using that module but currently we prefer to use 'Kerberos authentication'.
mail
By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with:
apt install postfix
The default config seems to "just work".
--
squinney - 2019-06-19
Comments
%COMMENT%