You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Warning on login methods

This guide only applies to machine that have been connected to Active Directory for people who use their UC user code and password. The method below doesn't really work for login with ssh keys.

Warning on time limits

The guide below shows how to automount SMB shares on login using ticket generated by kerberos when using Active Directory. Kerberos tickets are limited in time and that time limit is enforced by the server. Expect to lose your mount if you stay logged in for more than 7 day at a time on a single session. Kerberos tickets have a lifespan of 10 hours and can be renewed for up to 7 days at UC. If you are using a setup connected to active directory by the eResearch support team (François Bissey at the time of writing), your ticket should be automatically renewed to the end of the 7 days by the login service.

Our team can do the setup for you according to your specifications (within reason). This page is mainly a document for people who want to manage and learn things on their own. It also document some limitations of the current storage solution at UC. It can also help you make an informed decision on the setup if you request it be done by the eResearch support team.

Pre-requisites

This setup will use pam_mount to magically mount the UC shared drive upon login. We will need the following packages on the machine

packages to install
sudo apt install libpam-mount cifs-utils hxtools keyutils

the above is of course for ubuntu/debian linux distributions. Look for the equivalent packages if you use a different flavor. Note, that some pre-requisites should already be present because your system has been hooked up with Active Directory.

You should already have the krb5-user package installed. Upon installation it should have generated a sample configuration of krb5.conf in the /etc folder of your machine. This configuration, usually based on the original setup at the MIT, can be safely removed in its entirety and replaced with the following

/etc/krb5.conf
[libdefaults]
  default_realm = CANTERBURY.AC.NZ
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  default_ccache_name = FILE:/tmp/krb5cc_%{uid}


[realms]
	CANTERBURY.AC.NZ = {
		default_domain = canterbury.ac.nz
	}


[domain_realm]
	canterbury.ac.nz = CANTERBURY.AC.NZ
	.canterbury.ac.nz = CANTERBURY.AC.NZ


[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/krb5kdc.log
	admin_server = FILE:/var/log/kadmind.log

Optional

Because of the installation of pam_mount the configuration of the sssd daemon which is charge of managing your login with Active Directory should have a small change. Note that this is optional. There will be some complaints registered in logs on the machine but the functionality won't be affected.

In the file /etc/sssd/sssd.conf the last line of the sssd block labeled services needs to have pam removed. From

Original /etc/sssd/sssd.conf file
[sssd]
domains = canterbury.ac.nz
config_file_version = 2
services = nss, pam

to

Updated /etc/sssd/sssd.conf
[sssd]
domains = canterbury.ac.nz
config_file_version = 2
services = nss

Do not touch any other lines before or after the services line.

Managing the mounting process will take place in the file /etc/security/pam_mount.conf.xml. Further configuration can devolved to the user inside a file in their home directory. This needs to be allowed, and the file location defined, in the general configuration file under /etc/security. The advantage of devolving some configuration to the user means that they can choose a mount point in a folder they own. But more on this in the next few sections.

Mounting file systems in central mount points

In this section we will configure pam_mount to mount all the shares you usually would need under a central point under /file, this mimics the setup of RedHat machine centrally managed by ITS. The only difference will be that don't make the P drive the home for your user, we just make it available.

You can use the pam_mount.config.xml file below to achieve mounting of all the P drive, K drive, bulk, research, share and scratch drives

sample pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->


<pam_mount>


		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->


<debug enable="3" />

<!-- Volume definitions -->

<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Research"
    mountpoint="/file/research"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Bulk"
    mountpoint="/file/bulk"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Departments"
    mountpoint="/file/departments"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Scratch"
    mountpoint="/file/scratch"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Shared"
    mountpoint="/file/shared"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>


<!-- P drives -->
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersa$"
    mountpoint="/file/usersa"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersb$"
    mountpoint="/file/usersb"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersc$"
    mountpoint="/file/usersc"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersd$"
    mountpoint="/file/usersd"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Userse$"
    mountpoint="/file/userse"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersf$"
    mountpoint="/file/usersf"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersg$"
    mountpoint="/file/usersg"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersh$"
    mountpoint="/file/usersh"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersi$"
    mountpoint="/file/usersi"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersj$"
    mountpoint="/file/usersj"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersk$"
    mountpoint="/file/usersk"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersl$"
    mountpoint="/file/usersl"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersm$"
    mountpoint="/file/usersm"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersn$"
    mountpoint="/file/usersn"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Userso$"
    mountpoint="/file/userso"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersp$"
    mountpoint="/file/usersp"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersq$"
    mountpoint="/file/usersq"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersr$"
    mountpoint="/file/usersr"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Userss$"
    mountpoint="/file/userss"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Userst$"
    mountpoint="/file/userst"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersu$"
    mountpoint="/file/usersu"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersv$"
    mountpoint="/file/usersv"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersw$"
    mountpoint="/file/usersw"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersx$"
    mountpoint="/file/usersx"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersy$"
    mountpoint="/file/usersy"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>
<volume 
    fstype="cifs" 
    server="file.canterbury.ac.nz" 
    path="Usersz$"
    mountpoint="/file/usersz"
    uid="10000-640000"
    options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0"
/>

<!-- We need to over-ride the cifs mount command so that uid and gid are not
     set as they would by default. This would result in a permission denied error. -->
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS)"</cifsmount>


<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />




		<!-- pam_mount parameters: Volume-related -->


<mkmountpoint enable="1" remove="true" />




</pam_mount>



  • No labels