Faculty authentication on a machine in the FI network
You can enable faculty account authentication on your own machine using Lightweight Directory Access Protocol (LDAP) and Kerberos.
If you manage an official service against which faculty accounts are authenticated, or if you want to authenticate that service against another service, we support issuing Kerberos principals (of the form
service/hostname.fi.muni.cz
) and making them available as keytabs. For more information, contact
unix5dB3Cxqy4@fi2kk5NRFW0.muni2kdqPgVOp.cz
.
The instructions below are targeted at Unix OSes, specifically the Ubuntu 18.04 LTS Linux distribution. The procedure for other distributions and OSes may differ.
General Information
The
Lightweight Directory Access Protocol (LDAP) is available on the FI network and provides information about individual users and user groups. A dash (
…
) in the output indicates omitted text (here and in other examples in this text):
$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=People,dc=fi,dc=muni,dc=cz cn=xlogin -x
# xlogin, People, fi.muni.cz
dn: uid=xlogin,ou=People,dc=fi,dc=muni,dc=cz
uid: xlogin
cn: xlogin
objectClass: account
objectClass: posixAccount
userPassword:: e1NBU0x9bXl4bG9naW5ARkkuTVVOSS5DWg==
loginShell: /bin/bash
uidNumber: 12345
gidNumber: 10100
homeDirectory: /home/xlogin
gecos: Honza Login
host: aisa
host: anxur
$ ldapsearch -H ldap://ldap.fi.muni.cz/ -b ou=Group,dc=fi,dc=muni,dc=cz cn=student -x
# student, Group, fi.muni.cz
dn: cn=student,ou=Group,dc=fi,dc=muni,dc=cz
objectClass: posixGroup
objectClass: top
cn: student
gidNumber: 10100
memberUid: xlogin1
memberUid: xlogin2
…
This information can then be used as an additional source of Unix user and group tables using the Name Service Switch (NSS) framework. This allows, among other things, file systems to be shared across Unix machines.
The Kerberos protocol is also available on the FI network and allows authentication against faculty user accounts using faculty passwords via the Pluggable Authentication Modules (PAM) framework. This enables single sign-on on faculty Unix machines.
Lightweight Directory Access Protocol
LDAP is used by the
Name Service Switch (NSS) module in conjunction with the NSCD caching daemon to reduce network response and load. Both projects are available in the Ubuntu repositories in the
nscd
and
libnss-ldap
packages:
# apt install nscd libnss-ldap
You then need to download a certificate for encrypted connections to LDAP servers:
$ wget https://fadmin.fi.muni.cz/cacert/FI_CA.crt
# openssl x509 -in FI_CA.crt -out /etc/openldap/certs/FI_CA.pem -inform DER -outform PEM
# chmod u=rw,g=r,o=r /etc/openldap/certs/FI_CA.pem
# chown root:root /etc/openldap/certs/FI_CA.pem
Following is the configuration of the LDAP NSS module:
$ cat /etc/ldap.conf
base dc=fi,dc=muni,dc=cz
uri ldaps://ldap1.fi.muni.cz ldaps://ldap.fi.muni.cz
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one
nss_base_group ou=Group,dc=fi,dc=muni,dc=cz?one
ssl yes
tls_reqcert hard
tls_checkpeer yes
tls_cacert /etc/openldap/certs/FI_CA.pem
$ cat /etc/ldap/ldap.conf
…
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/openldap/certs/FI_CA.pem
Finally, we configure NSS to use the LDAP NSS module for Unix user and group tables.
$ cat /etc/nsswitch.conf
…
passwd: compat systemd ldap
group: compat systemd ldap
shadow: compat ldap
…
We should now see the users and user groups:
$ id xlogin
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)
User List Restrictions
If we wish to restrict the list of users that are allowed to log on to the Unix machine, we can modify the value of
nss_base_passwd
in the LDAP NSS module configuration file as follows:
$ grep nss_base_passwd /etc/ldap.conf
nss_base_passwd ou=People,dc=fi,dc=muni,dc=cz?one?host=myhost
Then, we will have technical support create a group
account_myhost
, in which we will have administrator rights. Next, in the
faculty administration, we will populate the list of group members and press the "Regenerate mail groups and LDAP" button. Then for the users who are part of the group
account_myhost
, we will see in LDAP the attribute
host
with the value
myhost
. Only these users will be visible to our machine afterwards. Similarly, we can filter users and groups by any other LDAP attributes.
Kerberos
To support the
Kerberos protocol, we use a client program to request tickets and a
Pluggable Authentication Modules (PAM) library to log in using the Kerberos client. Both projects are available in the Ubuntu repositories in the packages
krb5-user
and
libpam-krb5
:
# apt install krb5-user libpam-krb5
The following is the Kerberos client configuration:
$ cat /etc/krb5.conf
[libdefaults]
default_realm = FI.MUNI.CZ
…
[realms]
…
FI.MUNI.CZ = {
kdc = krb.fi.muni.cz
kdc = krb1.fi.muni.cz
default_domain = fi.muni.cz
}
…
[domain_realm]
…
.fi.muni.cz = FI.MUNI.CZ
fi.muni.cz = FI.MUNI.CZ
Requesting Kerberos tickets should now work:
$ kinit xlogin
Password for xlogin@FI.MUNI.CZ:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: xlogin@FI.MUNI.CZ
Valid starting Expires Service principal
2.10.2019 17:55:39 3.10.2019 17:55:35 krbtgt/FI.MUNI.CZ@FI.MUNI.CZ
Kerberos by default only allows users with a UID greater than or equal to 1000 to log in. This restriction prevents the LDAP user's UID from colliding with the system user's UID. Unfortunately, the faculty UID of some users is less than 1000 for historical reasons. Therefore, we modify the PAM configuration to allow users with a UID greater than or equal to 200 to log in:
$ cat /usr/share/pam-configs/krb5
Name: Kerberos authentication (MIN_UID=200)
Default: yes
Priority: 704
Conflicts: krb5-openafs
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_krb5.so minimum_uid=200 try_first_pass
Auth-Initial:
[success=end default=ignore] pam_krb5.so minimum_uid=200
Account-Type: Additional
Account:
required pam_krb5.so minimum_uid=200
Password-Type: Primary
Password:
[success=end default=ignore] pam_krb5.so minimum_uid=200 try_first_pass use_authtok
Password-Initial:
[success=end default=ignore] pam_krb5.so minimum_uid=200
Session-Type: Additional
Session:
optional pam_krb5.so minimum_uid=200
We finish the configuration by running the PAM configuration tool. If you want to create a home directory when the user logs in for the first time, select "Create home directory on login" in the menu that appears and confirm with "Ok":
# pam-auth-update
You should then be able to log in to the system:
$ ssh xlogin@localhost id
Password:
Creating directory '/home/xlogin'.
uid=12345(xlogin) gid=10100(student) groups=10340(account_myhost),10000(staff),10100(student)