====== Login interattivo su Ubuntu 16.04 ======
Partendo dal [[strutture:lnf:dr:calcolo:sistemi:ubuntu_16.04_template|template Ubuntu 16.04]], installiamo i seguenti pacchetti:
# apt install libpam-krb5 libpam-afs-session
Modifichiamo in ''/etc/pam.d/'' i file ''common-auth'', ''common-account'', ''common-password'', ''common-session'':
# vi /etc/pam.d/common-auth
auth sufficient pam_krb5.so try_first_pass minimum_uid=500
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_deny.so
auth optional pam_afs_session.so
# vi /etc/pam.d/common-account
account sufficient pam_krb5.so minimum_uid=500
account required pam_unix.so
account required pam_permit.so
# vi /etc/pam.d/common-password
password sufficient pam_krb5.so minimum_uid=500
password sufficient pam_unix.so nullok use_authtok try_first_pass sha512
password required pam_deny.so
# vi /etc/pam.d/common-session
session optional pam_krb5.so minimum_uid=500
session optional pam_afs_session.so
session required pam_unix.so
Verifichiamo che siano impostate le seguenti direttive in ''/etc/ssh/ssh_config'':
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPIDelegateCredentials yes
ForwardX11Trusted yes
e le seguenti le direttive in ''/etc/ssh/sshd_config'':
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
Riavviamo il servizio ''sshd''
# systemctl restart sshd.service
# systemctl status sshd.service
Verifichiamo che il file ''/etc/krb5.conf'' sia configurato nel seguente modo:
[libdefaults]
default_realm = LNF.INFN.IT
[domain_realm]
.lnf.infn.it = LNF.INFN.IT
lnf.infn.it = LNF.INFN.IT
[realms]
LNF.INFN.IT = {
kdc = kdc5s3.lnf.infn.it:88
kdc = kdc5s2.lnf.infn.it:88
kdc = kdc5s1.lnf.infn.it:88
kdc = kdc5s0.lnf.infn.it:88
kdc = kdc5p.lnf.infn.it:88
admin_server = kdc5p.lnf.infn.it:749
default_domain = lnf.infn.it
}
INFN.IT = {
kdc = k5.infn.it:88
kdc = afscnaf.infn.it:88
kdc = afsrm1.roma1.infn.it:88
kdc = afsna.na.infn.it:88
admin_server = k5.infn.it:749
default_domain = infn.it
}
[appdefaults]
aklog_homedir = true
pam-afs-session = {
minimum_uid = 1000
ignore_root = true
debug = true
}
pam = {
minimum_uid = 1000
ticket_lifetime = 259200
renew_lifetime = 604800
forwardable = true
krb4_convert = false
ccache_dir = /tmp
tokens = true
krb4_convert_524 = false
krb4_use_as_req = false
#afs_cells = lnf.infn.it=afs@LNF.INFN.IT
afs_cells = lnf.infn.it=afs/lnf.infn.it@LNF.INFN.IT
#existing_ticket = true
#validate = true
validate = false
#keytab = FILE:/etc/krb5.keytab
#debug = false
debug = true
}
Per utilizzare l'autenticazione con ticket bisogna creare in ''/etc/'' il file ''krb5.keytbab'' e decommentare in ''/etc/krb5.conf'' nella sezione ''[appdefaults] pam'' le direttive:
validate = true
keytab = FILE:/etc/krb5.keytab
Configuriamo il client LDAP per recuperare le informazioni sugli utenti che possono effettuare l'accesso. Istalliamo il pacchetto ''ldap-auth-client''
# apt install ldap-auth-client
Durante l'istallazione verranno richiesti alcuni parametri di configurazione.
Inseriamo l'URI ''ldaps://ds1.infn.it'' del server LDAP:
+---------------------| Configuring ldap-auth-config |----------------------+
| Please enter the URI of the LDAP server to use. This is a string in the |
| form of ldap://:/. ldaps:// or ldapi:// can also |
| be used. The port number is optional. |
| |
| Note: It is usually a good idea to use an IP address because it reduces |
| risks of failure in the event name service problems. |
| |
| LDAP server Uniform Resource Identifier: |
| |
| ldaps://ds1.infn.it/_________________________________________________ |
| |
| |
| |
+---------------------------------------------------------------------------+
Specificare ''dc=lnf,dc=infn,dc=it'' come radice della directory LDAP
+---------------------| Configuring ldap-auth-config |----------------------+
| Please enter the distinguished name of the LDAP search base. Many sites |
| use the components of their domain names for this purpose. For example, |
| the domain "example.net" would use "dc=example,dc=net" as the |
| distinguished name of the search base. |
| |
| Distinguished name of the search base: |
| |
| dc=lnf,dc=infn,dc=it__________________________________________________ |
| |
| |
| |
+---------------------------------------------------------------------------+
Specificare la versioe di LDAP (3)
+---------------------| Configuring ldap-auth-config |---------------------+
| Please enter which version of the LDAP protocol should be used by |
| ldapns. It is usually a good idea to set this to the highest available |
| version. |
| |
| LDAP version to use: |
| |
| * 3 |
| 2 |
| |
| |
| |
| |
+--------------------------------------------------------------------------+
Selezioniamo ''''
+---------------------| Configuring ldap-auth-config |----------------------+
| |
| This option will allow you to make password utilities that use pam to |
| behave like you would be changing local passwords. |
| |
| The password will be stored in a separate file which will be made |
| readable to root only. |
| |
| If you are using NFS mounted /etc or any other custom setup, you should |
| disable this. |
| |
| Make local root Database admin: |
| |
| * |
| |
+---------------------------------------------------------------------------+
Selezioniamo ''''
+-------------------| Configuring ldap-auth-config |-------------------+
| |
| Choose this option if you are required to login to the database to |
| retrieve entries. |
| |
| Note: Under a normal setup, this is not needed. |
| |
| Does the LDAP database require login? |
| |
| * |
| |
+----------------------------------------------------------------------+
Configuriamo ''/etc/nsswitch.conf'' per consentire la ricerca degli utenti su LDAP oltre che in locale:
auth-client-config -t nss -p lac_ldap
Recuperiamo informazioni su un utente con il comando ''id'' per verificare che tutto sia stato configurato in modo corretto:
id
Installiamo la TENEX C Shell:
# apt install tcsh
Creiamo il file ''lnf.login'' in ''/etc/csh/login.d/'' con il seguente contenuto:
setenv ORIPATH $PATH
#########################################################################
#
# Generic lnf system login.
#
if ( -x /afs/lnf.infn.it/system/userenv/common/lnf.csh.login ) then
source /afs/lnf.infn.it/system/userenv/common/lnf.csh.login
endif
#
#########################################################################
setenv PATH "${ORIPATH}:${PATH}"
e modifichiamo il file ''/etc/csh.logout'' aggiungendo:
# /etc/csh.logout: system-wide .logout file for csh(1) and tcsh(1)
#########################################################################
#
# Log logout
#
if ( -x /afs/lnf.infn.it/system/userenv/common/lnf.csh.logout ) then
source /afs/lnf.infn.it/system/userenv/common/lnf.csh.logout
endif
kdestroy
#
# eof
#
Infine creiamo i seguenti link simbolici:
ln -s /afs/lnf.infn.it/system/lnflocal/@sys /usr/lnf
ln -s /usr /usr/afsws