On-board computer: Adding CERN accounts

CERN accounts, Kerberos & AFS

In order to allow people to log into a board with their CERN accounts, install Kerberos, and mount AFS, run the following command:

sudo /usr/bin/locmap --enable afs
sudo /usr/bin/locmap --configure all

To check that the relevant modules have been enabled & configured, then run sudo /usr/bin/locmap --list - you should see teh following output:

[Available Modules]
afs            [ enabled]
cernbox        [disabled]
cvmfs          [disabled]
eosclient      [disabled]
kerberos       [ enabled]
lpadmin        [ enabled]
nscd           [ enabled]
ntp            [ enabled]
sendmail       [ enabled]
ssh            [ enabled]
sudo           [ enabled]

Note

You will only be able to use a Kerberos token for authentication with SSH, the board will need to have a fixed IP address. If the output of host $(hostname) includes dyndns.cern.ch, e.g:

BOARD-HOSTNAME.cern.ch is an alias for BOARD-HOSTNAME.dyndns.cern.ch.
BOARD-HOSTNAME.dyndns.cern.ch has address 128.141.143.116

then your board has a dynamic IP address and so it will not generate the /etc/krb5.keytab file that’s required to use Kerberos tokens with SSH.

CERN accounts can then be added to the computer as follows:

sudo addusercern SOME_USERNAME

If people logged in from CERN accounts will need to be able to read files under /home/cmx, run the following command from the cmx account:

chmod -R a+r /home/cmx
chmod a+x $(find /home/cmx -type d)

SSH access for large groups of users

In order to give several CERN accounts SSH access to multiple boards at CERN, you can centrally manage the list of accounts with an e-group, and configure each board to read the membership of that egroup from the central LDAP service.

1. To set this up, you’ll first need to create the corresponding egroup. Notably, you’ll need to wait until that e-group has been approved. You will also need to wait until the e-group membership has been synchronised - see the “Sync state” field in the “Settings” tab after finding your egroup in https://e-groups.cern.ch/e-groups/EgroupsSearchForm.do . You can then verify that the e-group membership is being correctly published by the central LDAP service, by running the following command (make sure that you replace NAME_OF_MY_EGROUP with the appropriate value):

ldapsearch -LLL -x -h xldap.cern.ch -b "DC=cern,DC=ch" "(&(objectClass=user)(memberOf=CN=NAME_OF_MY_EGROUP,OU=e-groups,OU=Workgroups,DC=cern,DC=ch))" objectGUID userPrincipalName

2. Download the SSSD configuration file to your board

   sudo curl https://serenity.web.cern.ch/serenity/board-setup/_downloads/sssd/sssd.conf -o /etc/sssd/sssd.conf
   

   Then open the downloaded file and change NAME_OF_MY_EGROUP to the name of the egroup you want to use.

3. Update the SSSD config file’s settings

   sudo chown root:root /etc/sssd/sssd.conf
   sudo chmod 0600 /etc/sssd/sssd.conf
   sudo restorecon /etc/sssd/sssd.conf
   

4. Enable SSSD

   sudo authconfig --enablesssd --enablesssdauth --update
   

5. Run SSSD daemon, and ensure that it starts on boot

   sudo systemctl enable sssd
   sudo systemctl stop sssd
   sudo systemctl start sssd
   

6. Verify that you can access the information for a CERN account using the following command:

   getent passwd SOME_CERN_USERNAME
   

Note: These instructions are based off the information in https://linux.web.cern.ch/docs/account-mgmt/ . However, if the above commands do not work without modifications, please get in touch with Tom Williams to correct this page.