Integrating your system with LCSR Kerberos
NOTE: This page is for systems with permanent network connections within the computer science department. For laptops and systems at home, please see Setting up Kerberos Support for your Home or Office Machine.
This page is written for Linux, but it is possible to integrate Microsoft Windows and Macintoshes with permanent network connections to the computer science network. Contact firstname.lastname@example.org for more information on doing that. Different
Systems managed by LCSR use Redhat's IPA to manage users and groups. All users are authenticated using Kerberos. The primary file systems are mounted using NFS (normally NFS version 4) with Kerberos authentication.
Computer Science researchers might be interested in using the same approach for their systems:
- You can ssh into and out of the system without needing to type a password.
- You can access shared file systems on LCSR servers.
- You can access storage on your system from other systems, both your own and systems managed by LCSR.
When a system is integrated with Kerberos, all users and groups stored in our central system will be usable on your system. However that doesn't mean they can all login. In the process of setup, you will create a user group. Everyone in that group is allowed to login. Use the Group and Guest Management tool on the main Accounts Web Page to set up the group and add / remove people from it. (There is also a command-line tool, and even a REST web interface.) You will still be able to create users and groups in /etc/passwd and /etc/group. Yours will take precedence over those that come from the central directory. However only users in the central directory will be able to use Kerberized features.
See Kerberos tools and configuration for specifics on what this process sets up on your system.
We support this process for up-to-date installations of Centos 6 and 7, Ubuntu 14, 16 and 18, and SLES 12. However only Centos 7, Ubuntu 14 and Ubuntu 18 are tested regularly, and the script that lets you do it yourself may only work for those systems.
Fixing up usernames
For this to work, your usernames need to be coordinated. LCSR uses University NetIDs as usernames. To use Kerberos authentication, you must login with a NetID.
If your users all have entries in the local /etc/password, UIDs (the numbers associated with the username) don't have to be coordinated. Neither do groups. However occasional confusion could result if you have any groups with the same name as groups in our central database.
However if you are going to get all user information from our servers (which we recommend), you'll need to make sure your UIDs match ours. Only UIDs for real users are an issue, root, bin, etc, aren't in our database.
If you're not using NetIDs for usernames, you'll want to update your usernames. You can do that by editing /etc/passwd and changing the names.
- You can setup Kerberos on your system before you finish converting to NetID. However only users that use the NetID will be able to use Kerberos features.
- If all else fails, you can add duplicate entries in /etc/passwd. Just duplicate each user. The second entry should be identical, except it uses NetID rather than the old username. The UID and other information, including home directory, should be the same.
Requirements for integration to work
Once you have fixed up your usernames, there are two ways to integrate your system:
- Ask email@example.com to do it for you. You will need to give us a user that can sudo to root.
- Download the kerberize script. Any faculty member (or others authorized by request of a faculty member) can use this script to add their computer to our system.
There are a couple of requirements:
- Your computer must have a permanent hostname, and must be listed in DNS with that hostname. It's fine if you use DHCP to distribute IP addresses. However DHCP must be configured so that it always uses the same IP address for a given system. If you type the "hostname" command, you should see your full hostname, that is, host.cs.rutgers.edu, not just host.
- If you decide to use the script and do it yourself, the script will ask you to login with a netid. The netid must be for a faculty member or someone else that has been authorized to register computers. If you want someone other than a faculty member to set up your systems, please contact firstname.lastname@example.org.
- We do not currently support systems that want to use both our information and NIS/yellow pages. We assume that our LDAP data effectively replaces NIS. Having two network-based sets of user information is likely to lead to confusion. If you really need to do this, contact email@example.com. It's certainly possible to configure a system that way, but our scripts won't currently do it automatically.
- Your system must have python installed, Python 2 (versions 2.6 or 2.7) or Python 3 (versions 3.5 and higher). We don't install it because we don't want to inadvertently change the version. In our testing we've always found that python is either already there or is installed with one of the other packages we install. That means that so far this hasn't been a problem.
- For Ubuntu, your system must have its time synchronized with the network. For 16, try "timedatectl" It should show "NTP synchronized: yes". For 14, try "ntpq -p". It should show that you are synchronized with at least one NTP server. * at the beginning of the line indicates that you are synchronized. For Centos, we set up synchronization for you. Ubuntu is supposed to do it by default. So this shouldn't be a problem.
Using the script
You may prefer to let us do the setup. We can then handle any errors that occur.
However if you want to do it, here's the setup script: kerberize.
The final setup should be identical whether you do it or we do. The script downloads the same ansible software that we use.
You should run it as root on the system you're setting up.
Here are some specifics about using the script:
- You have to be root to run it.
- Either do "chown +x kerberize" and run it by "./kerberize" or run it by "bash kerberize". It has to be run with bash.
- The first time you run it, it will ask you to login. Use a NetID and the computer science password. It doesn't matter whether that Netid is a valid login on the system you're setting up. It needs to be for a faculty member or someone else authorized to register computers.
- It will ask whether you want to get user and group information from our central server. The easiest answer is "no." If you say no, you'll continue using information from /etc/passwwd. Users will need entries in /etc/passwd to login. We'll set up LDAP, so you can see all of the computer science users and groups, but only users in /etc/passwd can login.
- A "yes" answer means user and group information will come from our central system. If you have existing files, you may need to update ownership, since the UIDs in our central system will probably be different from what you've been using. We strongly recommend "yes" for new systems, but for existing systems, it will require some work. You can answer "no", and later run the script again with "yes."
- If you answer "yes", you'll need to specify the name of a group. Without that, anyone in computer science would be able to login. The idea is that only members of that group of users can login to your system. You can create and manage groups using the group management tool at https://services.cs.rutgers.edu/accounts.
During the process it will install several pieces of software: among them Kerberos, Ansible, and Git. We've tried to limit output, but parts of the process produce more of it than you'd like. Don't be surprised if you see an errors such as the following
failed KDC can't fulfill requested option ipa: ERROR: host with name "c217-4.cs.rutgers.edu" already exists ipa: ERROR: no modifications to be performedA serious error will terminate the process, and hopefully give a clear error message, except in the final stage when software is being set up under Ansible.
Once the script has succeeded you can run it again if you want to change your answers.
If you continue to use /etc/passwd (i.e. you answered "no") you'll have problems adding new users. If you edit /etc/passwd you're fine. But if you use "useradd" or "adduser" it will complain that the user already exists, because it will also see users in LDAP. You can fix that by temporarily changing /etc/nsswitch.conf, removing ldap from the line that starts with "passwd:".
The script should work OK with default installations. Here are some special situations you might have:
Selinux on Ubuntu Selinux is a security system written for Linux by the NSA. It is used by default on Centos, but not on Ubuntu. Selinux can interfere with registering credentials to be renewed. Our Centos installation handles this automatically, because Selinux is supported on Centos. It's not commonly used with Ubuntu. If you have enabled it on Ubuntu, you may need to add rules to allow sshd (actually PAM called by sshd) to write to /run. Please contact firstname.lastname@example.org if you're in this situation.