859
edits
Changes
Jump to navigation
Jump to search
Line 82:
Line 82: − + + + + + + + + Line 120:
Line 127: − + + + Line 164:
Line 173: − + − + − − If you can successfully login with a domain account you can now try and automatically mounts shares. − − You will require at least cif-utils and libpam_mount − − sudo apt-get install libpam_mount cifs-utils Line 186:
Line 189: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 196:
Line 251: + Line 204:
Line 260: − + Line 219:
Line 275: − <!-- General Directory-->+ Line 228:
Line 284: − + − − ==== PolicyKit ==== − Check if you run Policykit (most likely):+ − pgrep -lf polkit + − − To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file: − /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla − − Add the following to sections as required: − − Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins − − Sections: − − [Mounting, checking, etc. of internal drives] − [Setting the clock] − [Adding or changing system-wide NetworkManager connections] − [Update already installed software] − [usb-creator] − [Printer administration] − [Modify error reporting settings] − One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.+ − + − If you want to have a simple login box with manual login only you can do the following:+ − create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf + − Add the following:+ − + − greeter-show-manual-login=true + − greeter-hide-users=true − ====Miscellaneous Notes====+ − =====pam_winbind=====+ Line 281:
Line 317: − =====pam_kwallet=====+
Client Authentication:Ubuntu via sssd/ldap (view source)
Revision as of 16:44, 16 November 2020
, 16:44, 16 November 2020no edit summary
[pam]
[pam]
[domain/LDAP]
[domain/LDAP]
# Debug is now per domain
# Debug level can be 0-10 for simple levels,
# or for more control hex values Format is 0xXXXX
# 1 = 0x0010 2 = 0x0020 3 = 0x040 4 = 0x080 5 = 0x0100 6 = 0x0200
# see man sssd for more
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-troubleshooting
debug_level = 3
id_provider = ldap
id_provider = ldap
auth_provider = ldap
auth_provider = ldap
===Configure the system to use SSSD as a source of authentication:===
===Configure the system to use SSSD as a source of authentication:===
Setup to use the tool auth-client-config:
Setup to use the tool auth-client-config.
{{Tip box|If you intend to automatically mount shares please see the Mount Shares section below and add the relevant sections to pam_auth and pam_session here first. You may also want the section in System Permissions }}
We can copy and paste in a terminal to add following lines:
We can copy and paste in a terminal to add following lines:
===Mount Shares===
==Desktop Setup==
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
====Basic Setup====
===Sudoers===
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
Add this:
Add this:
%cliadmins ALL=(ALL) ALL
%cliadmins ALL=(ALL) ALL
===System Permissions & PolicyKit===
I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss
pam_session=
session optional pam_systemd.so
Check if you run Policykit (most likely):
pgrep -lf polkit
To allow admin access on the desktop we need to edit the following file:
/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
Add the following to sections as required:
Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
Sections:
[Mounting, checking, etc. of internal drives]
[Setting the clock]
[Adding or changing system-wide NetworkManager connections]
[Update already installed software]
[usb-creator]
[Printer administration]
[Modify error reporting settings]
===LightDM Login Box===
If you want to have a simple login box with manual login only you can do the following:
create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf
Add the following:
[SeatDefaults]
greeter-show-manual-login=true
greeter-hide-users=true
===Mount Shares===
{{Note box|The following page is worth a read https://wiki.contribs.org/Smeserver-tw-logonscript#Linux_client_integration
It is possible to create a simple local pam_mount.conf.xml file and then load a per user config from the server}}
If you can successfully login with a domain account you can now try and automatically mounts shares.
You will require at least cif-utils and libpam-mount
sudo apt-get install libpam-mount cifs-utils
In the above file /etc/auth-client-config/profile.d/sss
In the above file /etc/auth-client-config/profile.d/sss
pam_session=
pam_session=
session optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password
Add the following:
Add the following:
cat <<'_EOF' >/etc/security/pam_mount.conf.xml
cat <<'_EOF' >/etc/security/pam_mount.conf.xml
<pam_mount>
<pam_mount>
<debug enable = "0" />
<debug enable = "0" />
user = "*"
user = "*"
sgrp = "admins"/>
sgrp = "admins"/>
<!-- General Directory-->
<volume fstype = "cifs"
<volume fstype = "cifs"
server = "sme.server.com"
server = "sme.server.com"
sgrp = "admins"/>
sgrp = "admins"/>
</pam_mount>
</pam_mount>
_EOF
_EOF
You may need to add a 'sec' option like this:
options = "uid=%(USER),nosuid,nodev,noexec,sec=ntlmssp,vers=1.0"
Now when you login as a domain user your shares should mount and you should have full sudo access.
Now when you login as a domain user your shares should mount and you should have full sudo access.
==Miscellaneous Notes==
====LightDM Login Box====
===Local password required for sudo===
One irritation that I have seen is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.
I believe adding your new group to the following file will then present you with a list of users who can authenticate:
/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
[SeatDefaults]
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:cliadmins
It will present an 'Authenticate' box with a list of users - I have not yet found how to just accept the password for the current logged in user (as per normal case for standalone user). Most likely it requires a modification to lightdm similar to above.
===pam_winbind===
You may get the following error:
You may get the following error:
cd /lib;ln -s /lib/x86_64-linux-gnu/security security
cd /lib;ln -s /lib/x86_64-linux-gnu/security security
===pam_kwallet===
If you do not use kwallet and get annoyed by this message:
If you do not use kwallet and get annoyed by this message: