How to install Ubuntu 18,04 LTS and make it play nice within CERN infrastructure

Prerequisites and installation

EFI

Boot into your BIOS/EFI and

• Disable Secureboot
• If on your laptop you might need to change the standby/low energy modes for your CPU as windows

Installation

• If you want to be able to suspend/hybernate your PC, you will need to create a SWAP partition which is bigger than the amount of installed RAM, so that the contents of your RAM can be put into persistent memory.
• If you want an LDAP integration into the CERN infrastructure, create a neutral account such as "admin" instead of creating one with your username.

Integration within CERN infrastructure

CERN Certificates

To ensure that certificates issued by CERN are recognized, we need install the CERN CA certificates. Download the CA certificates here. Rename the files to get rid of whitespaces.

Then copy them to /usr/local/share/ca-certificates/ and add them to the system using

sudo update-ca-certificates

Since Firefox and Thunderbird have their own certificate storage websites and mails signed with CERN certificates will not trusted unless you import CA certs manually. See here Firefox and here for Thunderbird.

Thanks to Frantisek Boranek for his description on askubuntu.

CERN Kerberos

The single-sign-on (SSO) service Kerberos is crucial for AFS and LDAP logins.

Since Kerberos works based on tickets granted at a specific timestamp, at first we need to make sure that our system time matches the time on CERNs Kerberos serves by synchronizing it with the CERN NTP servers. Since Ubuntu 16.04, timesyncd takes care of that. Modify /etc/systemd/timesyncd.conf and make it look like this:

[Time]
NTP=ip-time-0.cern.ch ip-time-1.cern.ch ip-time-1.cern.ch ip-time-2.cern.ch
FallbackNTP=ntp.ubuntu.com
RootDistanceMaxSec=5
PollIntervalMinSec=32
PollIntervalMaxSec=2048

After your modification, restart timesyncd

sudo systemctl restart systemd-timesyncd

and check in the journal if the right ntp servers were picked up.

journalctl -u systemd-timesyncd

For more information visit the excellent arch-linux wiki.

Up next is Kerberos. Install the required packages using

sudo apt install krb5-user krb5-config

with CERN.CH as a default kerberos realm.

Then edit /etc/krb5.conf as described in the section on Client configuration - Kerberos in the Linux@CERN documentation and within a CERN network, try to obtain a kerberos ticket by kinit <yourCernId>. Check for a valid ticket using klist

CERN AFS

With working Kerberos, install the AFS packages

sudo apt install openafs-client openafs-modules-dkms openafs-krb5

with cern.ch as the default AFS cell. The AFS cell can be changed in /etc/openafs/ThisCell.

With a valid kerberos ticket, use aklog to obtain an AFS ticket and try to access your afs home directory under /afs/cern.ch/user/<firstLetterOfYourCernId>/<yourCernId>. Make sure you can read/write to your afs home e.g. by creating an empty file using touch mytestfile.

CVMFS

Since CERN started distributing software like intel compilers or ROOT over CVMFS, we may want to make this work as well. Add the repo as described in the docs and then configure as described in the quistart guide

Using LDAP to login with CERN credentials

To profit from all the goodies like login with your actual CERN id, synchronization of passwords and single-sign-on (SSO) inside the CERN network, you can use sssd and its PAM modules. If on the road or the CERN LDAP is unavailable, your credentials will automatically be cached by sssd so you can continue your work.

For this part I am assuming, that you installed kerberos and are able to obtain a ticket successfully and have imported the CA certificates. If you don't want AFS, then skip that part but don't continue without working kerberos and CERN CA certifictes, as we are going to need them.

First install sssd and all necessary PAM modules

sudo apt install sssd libpam-sss libpam-krb5 libpam-afs-session

then carefully read the section on Configuring sssd from the linux@cern documentation and follow the instruction to download their config file to /etc/sssd/sssd.conf and change permissions.

ATTENTION: Be aware, that with this config file, potentially anyone with a vaild CERN ID can login into your machine, which may not be what you want. Use filters as explained in the documentation to restrict access appropriately.

Being on a laptop, we don't want sssd to pick up our AFS home directory from LDAP, which will be unreachable outside CERN. Instead we need a local folder like /home/<CernId>. We enforce this by overriding the homedir LDAP attribute. Add

override_homedir = /home/%u

to the [domain/CERN] section in /etc/sssd/sssd.conf.

Finally we need to make PAM aware of all our effords. run

sudo pam-auth-update

and at least enable

• Kerberos authentication
• Unix authentication
• SSS authentication
• create home directory on login

optionally, you can enable

• AFS session management

Then, make sure your /etc/nsswitch.conf looks something like this

passwd:         compat systemd sss
group:          compat systemd sss
shadow:         compat sss
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns myhostname
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files sss

Finally restart sssd

sudo systemctl restart sssd.service

and make sure it came up:

systemctl status sssd.service

to verify if communication with LDAP works try

id <CernId>

You should see your CERN ID, with its uid and your computing groups. Now you can switch user to your CERN ID in the terminal using

su <CernId>

If everything is configured correctly, you are now logged in with your CERN ID, have a valid Kerberos ticket and have a home directory locally under/home/<CernId>. Optionally you now can add your user to the local sudoers group to be able to administrate your machine from that account.

Then restart the system and at the lock screen, press Log in as another user and provide username and password. If everything went smoothly, you should be be presented with the Desktop of your graphical user interface.

Integrate Kerberos into SSH

Since by now we have working Kerberos tickets, we can use it for passwordless logins on lxplus. If no Kerberos tickets are present, ssh automatically falls back to passwords.

HOST lxplus*
    ForwardX11 yes
    ForwardX11Trusted no
    GSSAPITrustDNS yes
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

CERN Printing Services

For CC7, CERN provides an rpm called lpadmincern which provides usable drivers for all printers at CERN. It also comes with a script to add and configure them correctly based on information in the CERN LDAP. With a few small tweaks we can make this work on Ubuntu as well.

Download the latest version of lpadmincern from the CC7 RPM repositories and unpack the RPM. We do a sort of manual installation. Copy the drivers to the right location.

sudo cp -r usr/share/lpadmincern /usr/share/lpadmincern

Now edit to your unpacked usr/sbin/lpadmincern which is a perl script and correct the paths insub reloadcupsd.

sub reloadcupsd {
    my $cupsc; 
    if ( -x '/bin/systemctl' ) {
       # is this actually needed ?
       $cupsc='/usr/bin/systemctl restart cups';
    } else {...

to

sub reloadcupsd {
    my $cupsc; 
    if ( -x '/bin/systemctl' ) {
       # is this actually needed ?
       $cupsc='/bin/systemctl restart cups';
    } else {...

and copy it to its destination

sudo cp usr/sbin/lpadmincern /usr/sbin/lpadmincern

Finally, you will need the perl LDAP packages.

sudo apt install libnet-ldap-perl

Now you should be able to add CERN printers based on their name found in the printservice protal and have them auto configured correctly, e.g.

sudo lpadmincern --add 12-1COR-HPA3

Inspired by this twiki entry

Firefox

Firefox can pick up your Kerberos credentials for autologin on the CERN Web SSO forms.

Navigate to about:config through the address line and set both network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris to .cern.ch.

With a valid Kerberos ticket, you then can click [autologon] next to Sign in using your current Windows/Kerberos credentials. If a login window appears, run kinit, close the login window, ignore the error message and reload the page.

Thanks to Branislav Ristic for his description on the CERN twiki

Thunderbird Mail

To configure Thunderbird, follow the official documentation. Note that for the address book to work outside CERN, you need to follow the LDAPs variant and have the CERN CAs imported in Thunderbird see above.