create new tag
view all tags

Ubuntu Basics

This documents all the packages I needed to install and basic configuration I had to change to make an Ubuntu machine useful in the DICE environment, most of this is probably useful for other organisations.

We're working with Ubuntu 19.10 eoan ermine with an aim to finally settle on the next LTS (20.04 something beginning with f)

hosts file

For machines with static IP addresses where you want SSH gssapi-keyex authentication support.

Replace any entries in /etc/hosts which map the hostname to (e.g. crocodile) with a correct full entry, e.g.: crocodile.inf.ed.ac.uk crocodile


apt install krb5-user libpam-krb5 libsasl2-modules-gssapi-mit

  • Kerberos realm config for Informatics:

The default configuration will usually work but if you need to tweak it you can using:

dpkg-reconfigure -plow krb5-config

(or manually replace /etc/krb5.conf with the local site version copied from SL7).

Whilst we don't have the kerberos component you need to create the host principal manually:

kadmin -p username/admin
ank -randkey host/example.inf.ed.ac.uk
ktadd -k /etc/krb5.keytab host/example.inf.ed.ac.uk


apt install libnss-sss sssd-tools libsasl2-modules-ldap

Copy the /etc/sssd/sssd.conf (and on DICE also the cert file /etc/pki/tls/certs/dice-sixkts-2018.crt) from a managed machine. On Ubuntu/Debian the certificate files are typically stored in the /etc/ssl/certs directory, if using that location don't forget to update the sssd.conf file.

Start the sssd server: systemctl start sssd (it might already be started in which case a restart will be needed). You can test this by looking up data for your username by using something like getent passwd ...


If you want the various ldap tools to work (e.g. ldapsearch) then you need to create /etc/ldap/ldap.conf to be the same as /etc/openldap/ldap.conf on SL7 (similarly you might need to edit the TLS_CACERT for the change in directory).


Install the openssh-server package (if not already there):

apt install openssh-server

Then edit the options in /etc/ssh/sshd_config to include those below:

ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem   sftp   /usr/lib/openssh/sftp-server
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStoreCredentialsOnRekey yes
UseDNS yes

The GSSAPI settings are necessary for single-sign-on support. the UseDNS option is necessary if you want to use pam_access to restrict access based on origin.

Restart the ssh server: systemctl restart ssh


Install the packages:

apt install openafs-client openafs-krb5 libpam-afs-session

  • AFS Cell config for Informatics:

That will take a while as it builds the afs kernel module.

Start the openafs client: systemctl start openafs-client


This can be manually configured using the pam-auth-update tool.

  • pam auth config for Informatics:

Note that 'SSS authentication' is intentionally disabled, we're only using it for cached access to data stored in our LDAP server. We could do our authentication using that module but currently we prefer to use 'Kerberos authentication'.


By default Ubuntu doesn't have a mail server installed, we recommend using postfix, it can be installed with:

apt install postfix

The default config seems to "just work".

-- squinney - 2019-06-19



Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng afs_cell.png r1 manage 32.8 K 2019-10-29 - 13:36 UnknownUser AFS Cell config for Informatics
PNGpng krb5-realm.png r1 manage 43.9 K 2019-10-29 - 13:37 UnknownUser Kerberos realm config for Informatics
PNGpng pam-auth-update.png r1 manage 78.9 K 2019-10-29 - 13:43 UnknownUser pam auth config for Informatics
Topic revision: r7 - 2019-10-29 - squinney
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback