Account Management

Integrating your system with LCSR Kerberos

NOTE: This page is for systems with permanent network connections within the computer science department. For laptops and systems at home, please see Setting up Kerberos Support for your Home or Office Machine.

This page is written for Linux, but it is possible to integrate Microsoft Windows and Macintoshes with permanent network connections to the computer science network. Contact CS Helpdesk for more information on doing that.

Systems managed by LCSR use Redhat's IPA to manage users and groups. All users are authenticated using Kerberos. The primary file systems are mounted using NFS (normally NFS version 3 or 4) with Kerberos authentication.

Computer Science researchers might be interested in using the same approach for their systems:

When a system is integrated with Kerberos, all users and groups stored in our central system will be usable on your system. However that doesn't mean they can all login. In the process of setup, you will create a user group. Everyone in that group is allowed to login. Use the Group and Guest Management tool on the main Accounts Web Page to set up the group and add / remove people from it. (There is also a command-line tool, and even a REST web interface.) You will still be able to create users and groups in /etc/passwd and /etc/group. Yours will take precedence over those that come from the central directory. However only users in the central directory will be able to use Kerberized features.

See Kerberos tools and configuration for specifics on what this process sets up on your system.

We support this process for up-to-date installations of Centos 7, Ubuntu 20 and 22. However only Ubuntu 20 and Ubuntu 22 are tested regularly, and the script that lets you do it yourself may only work for those systems.

Fixing up usernames

For this to work, your usernames need to be coordinated. LCSR uses University NetIDs as usernames. To use Kerberos authentication, you must login with a NetID.

If your users all have entries in the local /etc/password, UIDs (the numbers associated with the username) don't have to be coordinated. Neither do groups. However occasional confusion could result if you have any groups with the same name as groups in our central database.

However if you are going to get all user information from our servers (which we recommend), you'll need to make sure your UIDs match ours. Only UIDs for real users are an issue, root, bin, etc, aren't in our database.

If you're not using NetIDs for usernames, you'll want to update your usernames. You can do that by editing /etc/passwd and changing the names.

Requirements for integration to work

Once you have fixed up your usernames, there are two ways to integrate your system: