Line 1: |
Line 1: |
− | {{Warning box| This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10. YMMV}} | + | {{Warning box| This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Ubuntu 9.10, and subsequently a VMWare virtual machine installation with Ubuntu 10.04 LTS. YMMV}} |
− | ==Ubuntu 9.10 Authentication== | + | |
| + | ==Ubuntu 10.04 Authentication== |
| + | |
| ===Introduction=== | | ===Introduction=== |
− | The following details the setup of Ubuntu 9.10 Karmic Koala as a desktop to authenticate users against SME 7.4 using Samba and Winbind. The method has been tested using Ubuntu installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface. | + | The following details the setup of Ubuntu 10.04 Lucid Lynx as a desktop to authenticate users against SME 7.5.1 using Samba and Winbind. The method has been tested using Ubuntu installed in a VMware virtual machine on a Windows 7 host. It assumes login is via Ubuntu's standard GDM login screen. |
| + | |
| + | Ubuntu 10.04 is a long term service release, and will be supported on the desktop until April 2013. |
| | | |
| ===Install Ubuntu=== | | ===Install Ubuntu=== |
| *Download the Ubuntu .iso and install. | | *Download the Ubuntu .iso and install. |
− | {{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user with sudo root access. | + | {{Tip box| When prompted for a user name to log in with, give a non-SME user such as 'localuser', as this first user effectively becomes a local user with sudo root access. |
| | | |
| Make sure you set the 'Name of this Computer' to something less than 15 characters.}} | | Make sure you set the 'Name of this Computer' to something less than 15 characters.}} |
| *Complete install, login and apply all updates. | | *Complete install, login and apply all updates. |
− | {{Note box| For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh}} | + | {{Note box| For VirtualBox VM installation only, install the 'Guest Additions'. Mount the media and run autorun.sh. For VMware, install the VMware Tools. Untar the installer and run vmware-install-tools.pl}} |
| ===Additional Packages=== | | ===Additional Packages=== |
| Use the 'System - Administration - Synaptic Package Manager' to install additional packages | | Use the 'System - Administration - Synaptic Package Manager' to install additional packages |
Line 115: |
Line 119: |
| wbinfo -g | | wbinfo -g |
| {{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}} | | {{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}} |
| + | |
| + | === Give Domain Admins local admin rights === |
| + | |
| + | *Edit /etc/sudoers and add the following line: |
| + | |
| + | # Allow "Domain Admins" from the domain "DOMAIN" to run all commands |
| + | %<WORKGROUP>\\Domain\ Admins ALL=(ALL) ALL |
| + | |
| + | *Replace <WORKGROUP> with your SME server's Windows workgroup name. |
| | | |
| ===Login and Test=== | | ===Login and Test=== |
| *Exit the Terminal cli | | *Exit the Terminal cli |
− | *Logout of Ubuntu. | + | *Reboot the machine. |
| *Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup | | *Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup |
| *Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop. | | *Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop. |
| + | |
| + | ===Login screen security=== |
| + | |
| + | Once you have confirmed that everything is working, you can optionally configure the graphical login screen to hide the names of both local users and SME users who have recently logged in. This won't stop any serious attempt to break into a machine but is roughly equivalent to similar options available with the Windows XP login screen. |
| + | |
| + | Simply open a terminal and run: |
| + | sudo gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type Boolean --set /apps/gdm/simple-greeter/disable_user_list True |
| | | |
| ===Issues / ToDo=== | | ===Issues / ToDo=== |
− | The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.
| + | This howto has only been tested in virtual non-production environments. Here are some issues you may encounter: |
| + | |
| + | * If your SME Server is on a different subnet to the Ubuntu client, the login may stall after the username and password entered. This is due to the mount of the home directory, and although it does take a few moments it does eventually complete. The cause appears to slow NAT traversal and WINS lookup. |
| + | * If you do not reboot the Ubuntu client after running auth-client-config, you will be able to log in via GDM but no session will start. |
| + | * There is presently no way to emulate Windows' roaming profile feature. This issue should be solved when [[SME Server 8]] is released, thanks to its LDAP authentication feature. |
| + | * The standard Ubuntu "Change Password" GUI program does not work. It gets stuck when trying to authenticate the current password. Similarly, the passwd CLI utility produces a segmentation fault. As a workaround, you can open a web browser and go to http://servername/user-password/ to change your password. |
| + | * The list of available users shown at the login screen is cleared after each reboot. |
| + | |
| + | ==Ubuntu 9.10 Authentication== |
| + | |
| + | ===General information=== |
| | | |
− | Haven't tested the pam password configuration to see if password changes are handled correctly.
| + | The above howto was original written for Ubuntu 9.10. It should work with this older version of Ubuntu with the following caveats. |
| | | |
− | ==== BUGS ==== | + | === Memory leak bug === |
| | | |
| There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase: | | There is a bug in the version of Samba that ships with Ubuntu 9.10 (Karmic Koala) which causes an 'out of memory' error in winbindd. If you experience problems logging in, you can verify if this is the cause by searching for that phrase: |
Line 135: |
Line 165: |
| </pre> | | </pre> |
| | | |
− | A fix has been released in package samba-3.4.0-3ubuntu5.5, which will be packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository. | + | A fix has been released in package samba-3.4.0-3ubuntu5.5, which was subsequently packaged as part of Ubuntu 10.04 (Lucid Lynx). It is also available in the karmic-proposed repository. |
| | | |
| '''WARNING:''' Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named '''/etc/apt/preferences.d/karmic-proposed''', with the following contents: | | '''WARNING:''' Enabling the karmic-proposed repository on a production machine could cause instability. It is recommended that, in addition to adding the repository to /etc/apt/sources.list, you also create a file named '''/etc/apt/preferences.d/karmic-proposed''', with the following contents: |