Translated using DeepL

Machine-translated page for increased accessibility for English questioners.

Page in original, Czech language.

Faculty authentication on a machine in the FI network

You can enable faculty account authentication on your own machine using Lightweight Directory Access Protocol (LDAP) and Kerberos.

If you manage an official service against which faculty accounts are authenticated, or if you want to authenticate that service against another service, we support issuing Kerberos principals (of the form service/hostname.fi.muni.cz) and making them available as keytabs. For more information, contact unix@fi.muni.cz.

The instructions below are targeted at Unix OSes, specifically the Ubuntu 18.04 LTS Linux distribution. The procedure for other distributions and OSes may differ.

General Information

The Lightweight Directory Access Protocol (LDAP) is available on the FI network and provides information about individual users and user groups. A dash ( ) in the output indicates omitted text (here and in other examples in this text):

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=People,dc=fi,dc=muni,dc=cz cn=xlogin -x

# xlogin, People, fi.muni.cz
dn: uid=xlogin,ou=People,dc=fi,dc=muni,dc=cz
uid: xlogin
cn: xlogin
objectClass: account
objectClass: posixAccount
userPassword:: e1NBU0x9bXl4bG9naW5ARkkuTVVOSS5DWg==
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 10100
homeDirectory: /home/xlogin
gecos: Honza Login
host: aisa
host: anxur

$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=Group,dc=fi,dc=muni,dc=cz cn=student -x

# student, Group, fi.muni.cz
dn: cn=student,ou=Group,dc=fi,dc=muni,dc=cz
objectClass: posixGroup
objectClass: top
cn: student
gidNumber: 10100
memberUid: xlogin1
memberUid: xlogin2
…

This information can then be used as an additional source of Unix user and group tables using the Name Service Switch (NSS) framework. This allows, among other things, file systems to be shared across Unix machines.

The Kerberos protocol is also available on the FI network and allows authentication against faculty user accounts using faculty passwords via the Pluggable Authentication Modules (PAM) framework. This enables single sign-on on faculty Unix machines.

Lightweight Directory Access Protocol

LDAP is used by the Name Service Switch (NSS) module in conjunction with the NSCD caching daemon to reduce network response and load. Both projects are available in the Ubuntu repositories in the nscd and libnss-ldap packages:

# apt install nscd libnss-ldap

You then need to download a certificate for encrypted connections to LDAP servers:

$ wget https://fadmin.fi.muni.cz/cacert/FI_CA.crt
# openssl x509 -in FI_CA.crt -out /etc/openldap/certs/FI_CA.pem -inform DER -outform PEM
# chmod u=rw,g=r,o=r /etc/openldap/certs/FI_CA.pem
# chown root:root /etc/openldap/certs/FI_CA.pem

Following is the configuration of the LDAP NSS module:

$ cat /etc/ldap.conf
base dc=fi,dc=muni,dc=cz
uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one
nss_base_group  ou=Group,dc=fi,dc=muni,dc=cz?one
ssl yes
tls_reqcert hard
tls_checkpeer yes
tls_cacert /etc/openldap/certs/FI_CA.pem

$ cat /etc/ldap/ldap.conf
…
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/openldap/certs/FI_CA.pem

Finally, we configure NSS to use the LDAP NSS module for Unix user and group tables.

$ cat /etc/nsswitch.conf
…
passwd:         compat systemd ldap
group:          compat systemd ldap
shadow:         compat ldap
…

We should now see the users and user groups:

$ id xlogin
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)

User List Restrictions

If we wish to restrict the list of users that are allowed to log on to the Unix machine, we can modify the value of nss_base_passwd in the LDAP NSS module configuration file as follows:

$ grep nss_base_passwd /etc/ldap.conf
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=myhost

Then, we will have technical support create a group account_myhost, in which we will have administrator rights. Next, in the faculty administration, we will populate the list of group members and press the "Regenerate mail groups and LDAP" button. Then for the users who are part of the group account_myhost, we will see in LDAP the attribute host with the value myhost. Only these users will be visible to our machine afterwards. Similarly, we can filter users and groups by any other LDAP attributes.

Kerberos

To support the Kerberos protocol, we use a client program to request tickets and a Pluggable Authentication Modules (PAM) library to log in using the Kerberos client. Both projects are available in the Ubuntu repositories in the packages krb5-user and libpam-krb5:

# apt install krb5-user libpam-krb5

The following is the Kerberos client configuration:

$ cat /etc/krb5.conf

[libdefaults]
        default_realm = FI.MUNI.CZ
…
[realms]
…
        FI.MUNI.CZ = {
                kdc = krb.fi.muni.cz
                kdc = krb1.fi.muni.cz
                default_domain = fi.muni.cz
        }
…
[domain_realm]
…
        .fi.muni.cz = FI.MUNI.CZ
        fi.muni.cz = FI.MUNI.CZ

Requesting Kerberos tickets should now work:

$ kinit xlogin
Password for xlogin@FI.MUNI.CZ:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xlogin@FI.MUNI.CZ

Valid starting      Expires             Service principal
2.10.2019 17:55:39  3.10.2019 17:55:35  krbtgt/FI.MUNI.CZ@FI.MUNI.CZ

Kerberos by default only allows users with a UID greater than or equal to 1000 to log in. This restriction prevents the LDAP user's UID from colliding with the system user's UID. Unfortunately, the faculty UID of some users is less than 1000 for historical reasons. Therefore, we modify the PAM configuration to allow users with a UID greater than or equal to 200 to log in:

$ cat /usr/share/pam-configs/krb5
Name: Kerberos authentication (MIN_UID=200)
Default: yes
Priority: 704
Conflicts: krb5-openafs
Auth-Type: Primary
Auth:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass
Auth-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Account-Type: Additional
Account:
        required                        pam_krb5.so minimum_uid=200
Password-Type: Primary
Password:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200 try_first_pass use_authtok
Password-Initial:
        [success=end default=ignore]    pam_krb5.so minimum_uid=200
Session-Type: Additional
Session:
        optional                        pam_krb5.so minimum_uid=200

We finish the configuration by running the PAM configuration tool. If you want to create a home directory when the user logs in for the first time, select "Create home directory on login" in the menu that appears and confirm with "Ok":

# pam-auth-update

You should then be able to log in to the system:

$ ssh xlogin@localhost id
Password: 
Creating directory '/home/xlogin'.
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)

Useful links