Account Management

Integrating your system with LCSR Kerberos

NOTE: This page is for Linux systems with permanent network connections within the computer science department. For laptops and systems at home, please see Working at Home Working at Home also has instructions for Macintosh systems located within the department.

Systems managed by LCSR use Redhat's IPA to manage users and groups. All users are authenticated using Kerberos. The primary file systems are mounted using NFS with Kerberos authentication.

Computer Science researchers might be interested in using the same approach for their systems:

See Kerberos tools and configuration for specifics on what this process sets up on your system.

We support this process for up-to-date installations of Centos 6 and 7, Ubuntu 14 and 16, and SLES 12. However only Centos 7, Ubuntu 14 and Ubuntu 16 are tested regularly, and the script that lets you do it yourself may only work for those systems.

Ubuntu 18 will be supported when it is released, or when we have a request to support it, whichever comes first. When Ubuntu 18 is in wide use, we may stop esting Ubuntu 14. If you want to integrate some other Linux distribution, please send a request to Adding a new distribution isn't hard. The main issue is testing everything.

Fixing up usernames

For this to work, your usernames need to be coordinated. LCSR uses University NetIDs as usernames. To use Kerberos authentication, you must login with a NetID.

UIDs (the numbers associated with the username) don't have to be coordinated. Neither do groups. However occasional confusion could result if you have any groups with the same name as groups in our central database.

If you're not using NetIDs for usernames, you'll want to update your usernames. You can do that by editing /etc/passwd and changing the names.

[Note: it's actually possible to set up a mapping between names on your system and network names. However it has to be done in 3 different files, and changes need to be kept consistent between those 3 files and /etc/passwd. We think maintenance is going to be confusing enough that we don't recommend it. But if you want to use Kerberos and it's not possible for some reason to update your usernames, we can show you how to set up mapping.]

Requirements for integration to work

Once you have fixed up your usernames, there are two ways to integrate your system:

There are a couple of requirements:

Using the script

You may prefer to let us do the setup. We can then handle any errors that occur.

However if you want to do it, here's the setup script: kerberize.

The final setup should be identical whether you do it or we do. The script downloads the same ansible software that we use.

You should run it as root on the system you're setting up.

Here are some specifics about using the script:

During the process it will install several pieces of software: among them Kerberos, Ansible, and Git. We've tried to limit output, but parts of the process produce more of it than you'd like. Don't be surprised if you see an errors such as the following

failed KDC can't fulfill requested option
ipa: ERROR: host with name "" already exists
ipa: ERROR: no modifications to be performed
A serious error will terminate the process, and hopefully give a clear error message, except in the final stage when software is being set up under Ansible.

Once the script has succeeded you can run it again if you want to change your answers.

If you continue to use /etc/passwd (i.e. you answered "no") you'll have problems adding new users. If you edit /etc/passwd you're fine. But if you use "useradd" or "adduser" it will complain that the user already exists, because it will also see users in LDAP. You can fix that by temporarily changing /etc/nsswitch.conf, removing ldap from the line that starts with "passwd:".

Special situations

The script should work OK with default installations. Here are some special situations you might have:

Selinux on Ubuntu Selinux is a security system written for Linux by the NSA. It is used by default on Centos, but not on Ubuntu. Selinux can interfere with registering credentials to be renewed. Our Centos installation handles this automatically, because Selinux is supported on Centos. It's not commonly used with Ubuntu. If you have enabled it on Ubuntu, you may need to add rules to allow sshd (actually PAM called by sshd) to write to /run. Please contact if you're in this situation.