translated by Google

Machine-translated page for increased accessibility for English questioners.

Page in original, Czech language.

Faculty authentication on a machine in the FI network

You can enable faculty account authentication on your own machine using protocols Lightweight Directory Access Protocol (LDAP) and Kerberos .

If you manage an official service against which faculty accounts are authenticated, or you want to authenticate this service to another service, we support the issuance of Kerberos principals (in the form service/hostname.fi.muni.cz ) and made available in the form of keytabs. Contact for more information unix@fi.muni.cz .

The instructions below are aimed at Unix OS, specifically at the Linux distribution Ubuntu 18.04 LTS. The procedure for other distributions and OSs may differ.

General information

Protocol Lightweight Directory Access Protocol (LDAP) is available on the FI network and provides information about individual users and user groups. Drain ( ) in the output means the omitted text (here and in other examples of this text):

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=People,dc=fi,dc=muni,dc=cz cn=xlogin -x

# xlogin, People, fi.muni.cz
dn: uid=xlogin,ou=People,dc=fi,dc=muni,dc=cz
uid: xlogin
cn: xlogin
objectClass: account
objectClass: posixAccount
userPassword:: e1NBU0x9eG5vdm90MzJARkkuTVVOSS5DWg==
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 10100
homeDirectory: /home/xlogin
gecos: Honza Login
host: aisa
host: anxur

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=Group,dc=fi,dc=muni,dc=cz cn=student -x

# student, Group, fi.muni.cz
dn: cn=student,ou=Group,dc=fi,dc=muni,dc=cz
objectClass: posixGroup
objectClass: top
cn: student
gidNumber: 10100
memberUid: xlogin1
memberUid: xlogin2
…

This information can then be used as another source of Unix user and group tables using the framework Name Service Switch (NSS) . This allows, among other things share file systems across Unix machines .

Protocol Kerberos it is also available in the FI network and allows authentication to faculty user accounts using the faculty password via the framework Pluggable Authentication Modules (PAM) . This allows single sign-on on faculty Unix machines.

Lightweight Directory Access Protocol

Protocol LDAP is used by the module Name Service Switch (NSS) in conjunction with the NSCD caching daemon, which reduces network response and load. In Ubuntu repositories, both projects are available in packages nscd and libnss-ldap :

# apt install nscd libnss-ldap

Next, you need to download a certificate for encrypted connections to LDAP servers:

$ wget https://fadmin.fi.muni.cz/cacert/FI_CA.crt
# openssl x509 -in FI_CA.crt -out /etc/openldap/certs/FI_CA.pem -inform DER -outform PEM
# chmod u=rw,g=r,o=r /etc/openldap/certs/FI_CA.pem
# chown root:root /etc/openldap/certs/FI_CA.pem

The following is the configuration of the LDAP NSS module:

$ cat /etc/ldap.conf
base dc=fi,dc=muni,dc=cz
uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one
nss_base_group  ou=Group,dc=fi,dc=muni,dc=cz?one
ssl yes
tls_reqcert hard
tls_checkpeer yes
tls_cacert /etc/openldap/certs/FI_CA.pem

$ cat /etc/ldap/ldap.conf
…
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/openldap/certs/FI_CA.pem

Finally, we configure NSS so that the LDAP NSS module is used for Unix tables of users and groups.

$ cat /etc/nsswitch.conf
…
passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap
…

We should now see users and user groups:

$ id xlogin
uid=12345(xlogin) gid=10100(student) groups=10340(account_mujstroj),10000(staff),10100(student)

User list restrictions

If we want to limit the list of users who are allowed to log in to the Unix machine, we can adjust the value of the item nss_base_passwd in the LDAP NSS module configuration file as follows:

$ grep nss_base_passwd /etc/ldap.conf
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=mujstroj

Subsequently, we have a group created by technical support account_mujstroj , in which we will have the right of administrator. Further in faculty administration fill in the list of group members and press the "Regenerate mail groups and LDAP" button. Then for users who are part of a group account_mujstroj , we will see the attribute in LDAP host with value mujstroj . Only these users will subsequently be visible to our machine. Similarly, we can filter users and groups according to any other LDAP attributes.

Kerberos

To support the protocol Kerberos serves the client program on requesting tickets and Pluggable Authentication Modules (PAM) Kerberos client login library. In Ubuntu repositories, both projects are available in packages krb5-user and libpam-krb5 :

# apt install krb5-user libpam-krb5

The following is the Kerberos client configuration:

$ cat /etc/krb5.conf

[libdefaults]
        default_realm = FI.MUNI.CZ
…
[realms]
…
        FI.MUNI.CZ = {
                kdc = krb.fi.muni.cz
                kdc = krb1.fi.muni.cz
                default_domain = fi.muni.cz
        }
…
[domain_realm]
…
        .fi.muni.cz = FI.MUNI.CZ
        fi.muni.cz = FI.MUNI.CZ

Kerberos ticketing should now work:

$ kinit xlogin
Password for xlogin@FI.MUNI.CZ:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xlogin@FI.MUNI.CZ

Valid starting      Expires             Service principal
2.10.2019 17:55:39  3.10.2019 17:55:35  krbtgt/FI.MUNI.CZ@FI.MUNI.CZ

By default, Kerberos allows only users with a UID greater than or equal to 1000 to log on. This restriction prevents the LDAP user's UID from conflicting with the system user's UID. Unfortunately, for historical reasons, the faculty UID of some users is less than 1000. Therefore, we will adjust the PAM configuration to allow users with a UID greater than or equal to 200 to log in:

$ cat /usr/share/pam-configs/krb5
Name: Kerberos authentication (MIN_UID=200)
Default: yes
Priority: 704
Conflicts: krb5-openafs
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Account-Type: Additional
Account:
        required                        pam_krb5.so minimum_uid=200
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass use_authtok
Password-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Session-Type: Additional
Session:
        optional                        pam_krb5.so minimum_uid=200

Finish the configuration by running the PAM configuration tool. If you want the home directory to be created when the user logs in for the first time, select the item "Create home directory on login" in the displayed menu and confirm with the "OK" button:

# pam-auth-update

Subsequently, we should already be able to log in to the system:

$ ssh xlogin@localhost id
Password: 
Creating directory '/home/xlogin'.
uid=12345(xlogin) gid=10100(student) groups=10340(account_mujstroj),10000(staff),10100(student)

Useful links