translated by Google

Machine-translated page for increased accessibility for English questioners.

Page in original, Czech language.

Faculty authentication on a machine in the FI network

You can access authentication using a faculty account on your machine using protocols Lightweight Directory Access Protocol (LDAP) and Kerberos .

The instructions below are aimed at Unix OS, namely the Ubuntu 18.04 LTS Linux distribution. The procedure for other distributions and OS may vary.

General information

Protocol Lightweight Directory Access Protocol (LDAP) it is available on the FI network and provides information about individual users and user groups. Outlet ( ) in the output is omitted text (here and in other examples of this text): 

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=People,dc=fi,dc=muni,dc=cz cn=xlogin -x
# xlogin, People, fi.muni.cz
dn: uid=xlogin,ou=People,dc=fi,dc=muni,dc=cz
uid: xlogin
cn: xlogin
objectClass: account
objectClass: posixAccount
userPassword:: e1NBU0x9eG5vdm90MzJARkkuTVVOSS5DWg==
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 10100
homeDirectory: /home/xlogin
gecos: Honza Login
host: aisa
host: anxur

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=Group,dc=fi,dc=muni,dc=cz cn=student -x
# student, Group, fi.muni.cz
dn: cn=student,ou=Group,dc=fi,dc=muni,dc=cz
objectClass: posixGroup
objectClass: top
cn: student
gidNumber: 10100
memberUid: xlogin1
memberUid: xlogin2
…

This information can then be used as an additional source of Unix user and group tables using a framework Name Service Switch (NSS) . This allows, among other things share file systems across Unix machines .

Protocol Kerberos it is also available on the FI network and allows authentication to faculty user accounts using the faculty password through a framework Pluggable Authentication Modules . This allows for single sign-on on faculty Unix machines.

Lightweight Directory Access Protocol

Protocol LDAP is used by the module Name Service Switch (NSS) in conjunction with the NSCD caching daemon, which reduces network response and load. In Ubuntu repositories, both projects are available in packages nscd and libnss-ldap : 

# apt install nscd libnss-ldap

Then it is necessary to download the certificate for encrypted connection with LDAP servers: 

$ wget https://fadmin.fi.muni.cz/cacert/FI_CA.crt
# openssl x509 -in FI_CA.crt -out /etc/openldap/certs/FI_CA.pem -inform DER -outform PEM
# chmod u=rw,g=r,o=r /etc/openldap/certs/FI_CA.pem
# chown root:root /etc/openldap/certs/FI_CA.pem

The following is the configuration of the LDAP NSS module: 

$ cat /etc/ldap.conf
base dc=fi,dc=muni,dc=cz
uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one
nss_base_group  ou=Group,dc=fi,dc=muni,dc=cz?one
ssl yes
tls_reqcert hard
tls_checkpeer yes
tls_cacert /etc/openldap/certs/FI_CA.pem

$ cat /etc/ldap/ldap.conf
…
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/openldap/certs/FI_CA.pem

Finally, configure the NSS to use the LDAP NSS module for Unix tables of users and groups. 

$ cat /etc/nsswitch.conf
…
passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap
…

We should now see users and user groups: 

$ id xlogin
uid=12345(xlogin) gid=10100(student) groups=10340(account_mujstroj),10000(staff),10100(student)

User list restrictions

If you wish to restrict the list of users who are allowed to log on to the Unix machine, we can modify the value of the item nss_base_passwd in the NSS module LDAP configuration file as follows: 

$ grep nss_base_passwd /etc/ldap.conf
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=mujstroj

We then have a technical support group formed account_mujstroj in which we will have the right of administrator. Next in faculty administration fill the list of group members and press the button "Recover mail groups and LDAP". Then for users who are part of a group account_mujstroj , we will see the attribute in LDAP host with value mujstroj . Only these users will then be visible to our machine. Analogously, we can filter users and groups according to any other LDAP attributes.

Kerberos

For protocol support Kerberos serves the client program for requesting tickets; and Pluggable Authentication Modules Kerberos client login library. In Ubuntu repositories, both projects are available in packages krb5-user and libpam-krb5 : 

# apt install krb5-user libpam-krb5

The following is a Kerberos client configuration: 

$ cat /etc/krb5.conf
[libdefaults]
        default_realm = FI.MUNI.CZ
…
[realms]
…
        FI.MUNI.CZ = {
                kdc = krb.fi.muni.cz
                kdc = krb1.fi.muni.cz
                default_domain = fi.muni.cz
        }
…
[domain_realm]
…
        .fi.muni.cz = FI.MUNI.CZ
        fi.muni.cz = FI.MUNI.CZ

Kerberos ticket requesting should now work: 

$ kinit xlogin
Password for xlogin@FI.MUNI.CZ: 

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xlogin@FI.MUNI.CZ

Valid starting      Expires             Service principal
2.10.2019 17:55:39  3.10.2019 17:55:35  krbtgt/FI.MUNI.CZ@FI.MUNI.CZ

By default, Kerberos only allows users with a UID greater than or equal to 1000 to log on. This restriction prevents the LDAP user's UID from colliding with the system user's UID. Unfortunately, the faculty UIDs of some users are less than 1000 for historical reasons. Therefore, we will configure the PAM configuration to allow users with UIDs greater than or equal to 200: 

$ cat /usr/share/pam-configs/krb5
Name: Kerberos authentication (MIN_UID=200)
Default: yes
Priority: 704
Conflicts: krb5-openafs
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Account-Type: Additional
Account:
        required                        pam_krb5.so minimum_uid=200
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass use_authtok
Password-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Session-Type: Additional
Session:
        optional                        pam_krb5.so minimum_uid=200

To finish the configuration, run the PAM configuration tool. If you want the user to create a home directory at the first login, select "Create home directory on login" in the displayed menu and confirm with "Ok": 

# pam-auth-update

After that we should be able to log into the system: 

$ ssh xlogin@localhost id
Password: 
Creating directory '/home/xlogin'.
uid=12345(xlogin) gid=10100(student) groups=10340(account_mujstroj),10000(staff),10100(student)

Useful links