Account Management

Integrating your system with LCSR Kerberos

NOTE: This page is for systems with permanent network connections within the computer science department. For laptops and systems at home, please see Setting up Kerberos Support for your Home or Office Machine.

This page is written for Linux, but it is possible to integrate Microsoft Windows and Macintoshes with permanent network connections to the computer science network. Contact for more information on doing that. Different

Systems managed by LCSR use Redhat's IPA to manage users and groups. All users are authenticated using Kerberos. The primary file systems are mounted using NFS (normally NFS version 4) with Kerberos authentication.

Computer Science researchers might be interested in using the same approach for their systems:

When a system is integrated with Kerberos, all users and groups stored in our central system will be usable on your system. However that doesn't mean they can all login. In the process of setup, you will create a user group. Everyone in that group is allowed to login. Use the Group and Guest Management tool on the main Accounts Web Page to set up the group and add / remove people from it. (There is also a command-line tool, and even a REST web interface.) You will still be able to create users and groups in /etc/passwd and /etc/group. Yours will take precedence over those that come from the central directory. However only users in the central directory will be able to use Kerberized features.

See Kerberos tools and configuration for specifics on what this process sets up on your system.

We support this process for up-to-date installations of Centos 6 and 7, Ubuntu 14, 16 and 18, and SLES 12. However only Centos 7, Ubuntu 14 and Ubuntu 18 are tested regularly, and the script that lets you do it yourself may only work for those systems.

Fixing up usernames

For this to work, your usernames need to be coordinated. LCSR uses University NetIDs as usernames. To use Kerberos authentication, you must login with a NetID.

If your users all have entries in the local /etc/password, UIDs (the numbers associated with the username) don't have to be coordinated. Neither do groups. However occasional confusion could result if you have any groups with the same name as groups in our central database.

However if you are going to get all user information from our servers (which we recommend), you'll need to make sure your UIDs match ours. Only UIDs for real users are an issue, root, bin, etc, aren't in our database.

If you're not using NetIDs for usernames, you'll want to update your usernames. You can do that by editing /etc/passwd and changing the names.

Requirements for integration to work

Once you have fixed up your usernames, there are two ways to integrate your system:

There are a couple of requirements:

Using the script

You may prefer to let us do the setup. We can then handle any errors that occur.

However if you want to do it, here's the setup script: kerberize.

The final setup should be identical whether you do it or we do. The script downloads the same ansible software that we use.

You should run it as root on the system you're setting up.

Here are some specifics about using the script:

During the process it will install several pieces of software: among them Kerberos, Ansible, and Git. We've tried to limit output, but parts of the process produce more of it than you'd like. Don't be surprised if you see an errors such as the following

failed KDC can't fulfill requested option
ipa: ERROR: host with name "" already exists
ipa: ERROR: no modifications to be performed
A serious error will terminate the process, and hopefully give a clear error message, except in the final stage when software is being set up under Ansible.

Once the script has succeeded you can run it again if you want to change your answers.

If you continue to use /etc/passwd (i.e. you answered "no") you'll have problems adding new users. If you edit /etc/passwd you're fine. But if you use "useradd" or "adduser" it will complain that the user already exists, because it will also see users in LDAP. You can fix that by temporarily changing /etc/nsswitch.conf, removing ldap from the line that starts with "passwd:".

Special situations

The script should work OK with default installations. Here are some special situations you might have:

Selinux on Ubuntu Selinux is a security system written for Linux by the NSA. It is used by default on Centos, but not on Ubuntu. Selinux can interfere with registering credentials to be renewed. Our Centos installation handles this automatically, because Selinux is supported on Centos. It's not commonly used with Ubuntu. If you have enabled it on Ubuntu, you may need to add rules to allow sshd (actually PAM called by sshd) to write to /run. Please contact if you're in this situation.