strutture:lnf:dr:calcolo:sistemi:login_interattivo_su_ubuntu_16.04
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
strutture:lnf:dr:calcolo:sistemi:login_interattivo_su_ubuntu_16.04 [2017/01/17 11:21] – tota@infn.it | strutture:lnf:dr:calcolo:sistemi:login_interattivo_su_ubuntu_16.04 [2017/01/19 13:53] (current) – tota@infn.it | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Login interattivo su Ubuntu 16.04 ====== | ||
+ | Partendo dal [[strutture: | ||
+ | |||
+ | < | ||
+ | # apt install libpam-krb5 libpam-afs-session | ||
+ | </ | ||
+ | |||
+ | Modifichiamo in ''/ | ||
+ | |||
+ | < | ||
+ | # vi / | ||
+ | |||
+ | auth sufficient pam_krb5.so try_first_pass minimum_uid=500 | ||
+ | auth sufficient pam_unix.so nullok try_first_pass | ||
+ | auth required pam_deny.so | ||
+ | auth optional pam_afs_session.so | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # vi / | ||
+ | |||
+ | account sufficient pam_krb5.so minimum_uid=500 | ||
+ | account required pam_unix.so | ||
+ | account required pam_permit.so | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # vi / | ||
+ | |||
+ | password sufficient pam_krb5.so minimum_uid=500 | ||
+ | password sufficient pam_unix.so nullok use_authtok try_first_pass sha512 | ||
+ | password required pam_deny.so | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # vi / | ||
+ | |||
+ | session optional pam_krb5.so minimum_uid=500 | ||
+ | session optional pam_afs_session.so | ||
+ | session required pam_unix.so | ||
+ | </ | ||
+ | |||
+ | Verifichiamo che siano impostate le seguenti direttive in ''/ | ||
+ | |||
+ | < | ||
+ | GSSAPIAuthentication yes | ||
+ | GSSAPIKeyExchange yes | ||
+ | GSSAPIDelegateCredentials yes | ||
+ | ForwardX11Trusted yes | ||
+ | </ | ||
+ | |||
+ | e le seguenti le direttive in ''/ | ||
+ | |||
+ | < | ||
+ | GSSAPIAuthentication yes | ||
+ | GSSAPICleanupCredentials yes | ||
+ | </ | ||
+ | |||
+ | Riavviamo il servizio '' | ||
+ | |||
+ | < | ||
+ | # systemctl restart sshd.service | ||
+ | # systemctl status sshd.service | ||
+ | </ | ||
+ | |||
+ | Verifichiamo che il file ''/ | ||
+ | |||
+ | < | ||
+ | [libdefaults] | ||
+ | default_realm = LNF.INFN.IT | ||
+ | |||
+ | [domain_realm] | ||
+ | .lnf.infn.it = LNF.INFN.IT | ||
+ | lnf.infn.it | ||
+ | |||
+ | [realms] | ||
+ | LNF.INFN.IT = { | ||
+ | kdc = kdc5s3.lnf.infn.it: | ||
+ | kdc = kdc5s2.lnf.infn.it: | ||
+ | kdc = kdc5s1.lnf.infn.it: | ||
+ | kdc = kdc5s0.lnf.infn.it: | ||
+ | kdc = kdc5p.lnf.infn.it: | ||
+ | admin_server = kdc5p.lnf.infn.it: | ||
+ | default_domain = lnf.infn.it | ||
+ | } | ||
+ | INFN.IT = { | ||
+ | kdc = k5.infn.it: | ||
+ | kdc = afscnaf.infn.it: | ||
+ | kdc = afsrm1.roma1.infn.it: | ||
+ | kdc = afsna.na.infn.it: | ||
+ | admin_server = k5.infn.it: | ||
+ | default_domain = infn.it | ||
+ | } | ||
+ | |||
+ | [appdefaults] | ||
+ | |||
+ | aklog_homedir = true | ||
+ | |||
+ | pam-afs-session = { | ||
+ | minimum_uid = 1000 | ||
+ | ignore_root = true | ||
+ | debug = true | ||
+ | } | ||
+ | |||
+ | pam = { | ||
+ | minimum_uid = 1000 | ||
+ | ticket_lifetime = 259200 | ||
+ | renew_lifetime = 604800 | ||
+ | forwardable = true | ||
+ | krb4_convert = false | ||
+ | ccache_dir = /tmp | ||
+ | tokens = true | ||
+ | krb4_convert_524 = false | ||
+ | krb4_use_as_req = false | ||
+ | #afs_cells = lnf.infn.it=afs@LNF.INFN.IT | ||
+ | afs_cells = lnf.infn.it=afs/ | ||
+ | # | ||
+ | #validate = true | ||
+ | validate = false | ||
+ | #keytab = FILE:/ | ||
+ | #debug = false | ||
+ | debug = true | ||
+ | } | ||
+ | |||
+ | </ | ||
+ | |||
+ | Per utilizzare l' | ||
+ | |||
+ | < | ||
+ | validate = true | ||
+ | keytab = FILE:/ | ||
+ | </ | ||
+ | |||
+ | Configuriamo il client LDAP per recuperare le informazioni sugli utenti che possono effettuare l' | ||
+ | |||
+ | < | ||
+ | # apt install ldap-auth-client | ||
+ | </ | ||
+ | |||
+ | Durante l' | ||
+ | |||
+ | Inseriamo l'URI ''< | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | Please enter the URI of the LDAP server to use. This is a string in the | | ||
+ | | form of ldap://< | ||
+ | | be used. The port number is optional. | ||
+ | | ||
+ | | Note: It is usually a good idea to use an IP address because it reduces | ||
+ | | risks of failure in the event name service problems. | ||
+ | | ||
+ | | LDAP server Uniform Resource Identifier: | ||
+ | | ||
+ | | ldaps:// | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | Specificare '' | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | Please enter the distinguished name of the LDAP search base. Many sites | | ||
+ | | use the components of their domain names for this purpose. For example, | ||
+ | | the domain " | ||
+ | | distinguished name of the search base. | | ||
+ | | ||
+ | | Distinguished name of the search base: | | ||
+ | | ||
+ | | dc=lnf, | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | Specificare la versioe di LDAP (3) | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | Please enter which version of the LDAP protocol should be used by | | ||
+ | | ldapns. It is usually a good idea to set this to the highest available | ||
+ | | version. | ||
+ | | ||
+ | | LDAP version to use: | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | Selezioniamo ''< | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | ||
+ | | This option will allow you to make password utilities that use pam to | | ||
+ | | behave like you would be changing local passwords. | ||
+ | | ||
+ | | The password will be stored in a separate file which will be made | | ||
+ | | readable to root only. | | ||
+ | | ||
+ | | If you are using NFS mounted /etc or any other custom setup, you should | ||
+ | | disable this. | | ||
+ | | ||
+ | | Make local root Database admin: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | Selezioniamo ''< | ||
+ | |||
+ | < | ||
+ | |||
+ | | ||
+ | | ||
+ | | Choose this option if you are required to login to the database to | | ||
+ | | retrieve entries. | ||
+ | | ||
+ | | Note: Under a normal setup, this is not needed. | ||
+ | | ||
+ | | Does the LDAP database require login? | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | </ | ||
+ | |||
+ | Configuriamo ''/ | ||
+ | |||
+ | < | ||
+ | auth-client-config -t nss -p lac_ldap | ||
+ | </ | ||
+ | |||
+ | Recuperiamo informazioni su un utente con il comando '' | ||
+ | |||
+ | < | ||
+ | id < | ||
+ | </ | ||
+ | |||
+ | Installiamo la TENEX C Shell: | ||
+ | |||
+ | < | ||
+ | # apt install tcsh | ||
+ | </ | ||
+ | |||
+ | Creiamo il file '' | ||
+ | |||
+ | < | ||
+ | setenv ORIPATH $PATH | ||
+ | |||
+ | ######################################################################### | ||
+ | # | ||
+ | # Generic lnf system login. | ||
+ | # | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | # | ||
+ | ######################################################################### | ||
+ | |||
+ | setenv PATH " | ||
+ | </ | ||
+ | |||
+ | e modifichiamo il file ''/ | ||
+ | |||
+ | < | ||
+ | # / | ||
+ | |||
+ | ######################################################################### | ||
+ | # | ||
+ | # Log logout | ||
+ | # | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | # | ||
+ | # eof | ||
+ | # | ||
+ | </ | ||
+ | |||
+ | Infine creiamo i seguenti link simbolici: | ||
+ | |||
+ | < | ||
+ | ln -s / | ||
+ | ln -s /usr /usr/afsws | ||
+ | </ |