47
edits
Changes
From SME Server
Jump to navigationJump to searchUpdated for Debian 7.0
==Client Configuration==
==Client Configuration==
===Introduction===
===Introduction===
The following is Debian 6 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
The following is Debian 7.0 desktop configuration for SME Server 8.x authentication using Samba and Winbind. It assumes login via Debians standard GDM login screen.
===Install Debian===
===Install Debian===
*Download the Debian.iso and install.
*Download the Debian.iso and install.
*Complete install, login and apply all updates.
*Complete install, login and apply all updates.
{{Note box| You need superuser privileges to make the changes. }}
{{Note box|You need root privileges to make the changes – use the root terminal. }}
===Additional Packages===
===Additional Packages===
* Install additional packages:
* Install additional packages:
# aptitude install winbind smbfs libpam-mount
# apt-get install winbind cifs-utils libpam-mount
* This will also install the required dependencies
* This will also install the required dependencies
*Open and edit /etc/samba/smb.conf. Find the relevant lines and alter them or uncomment them as below. Some lines may not exist and may need to be added.
* /etc/samba/smb.conf
Replace <WORKGROUP> below with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> below with the internal network ip address of your SME server.
[global]
[global]
workgroup = WORKGROUP # edit, to your workgroup name
workgroup = WORKGROUP
wins support = no
wins support = no
wins server = <ip of sme server>
wins server = 192.168.1.10 # edit, to your SME Server IP address
[Debugging/Accounting]
[Debugging/Accounting]
log level = 1
log level = 1
syslog = 0
syslog = 0
[Authentication]
[Authentication]
security = domain
security = domain
invalid users = root
invalid users = root
unix password sync = no
unix password sync = no
[Printing]
[Printing]
disable spoolss = yes
disable spoolss = yes
[Misc]
[Misc]
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind use default domain = yes
winbind use default domain = yes
idmap config * : backend = tdb
idmap backend = rid:"WORKGROUP=5000-20000" # edit, to your workgroup name
idmap config * : range = 10001-20000
idmap config DOMAIN : backend = rid
idmap uid = 5000-20000
idmap config DOMAIN : range = 10000-20000
idmap gid = 5000-20000
idmap config DOMAIN : base_rid = 0
template shell = /bin/bash
template shell = /bin/bash
template homedir = /home/%D/%U
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind enum users = yes
*To check validation of smb.conf, run
*To check validation of smb.conf, run
testparm
testparm
===Authentication Modifications===
===Authentication Modifications===
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
* /etc/nsswitch.conf (change these lines where necessary)
* Open and edit /etc/nsswitch.conf (change these lines where necessary)
passwd: files winbind
passwd: files winbind
group: files winbind
group: files winbind
networks: files
networks: files
* /etc/sudoers (for unmounting a user's home directory on logout)
*Open and edit /etc/sudoers (for unmounting a user's home directory on logout)
{{Note box| Always use visudo to edit the sudoers file}}
{{Note box| Always use visudo to edit the sudoers file}}
#
#
# This file MUST be edited with the 'visudo' command as root.
# This file MUST be edited with the 'visudo' command as root.
#
#
# See the man page for details on how to write a sudoers file.
# Please consider adding local content in /etc/sudoers.d/ instead of
#
# directly modifying this file.
#
Defaults env_reset
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$
# Host alias specification
# Host alias specification
# User alias specification
# User alias specification
# Cmnd alias specification
# Cmnd alias specification
Cmnd_Alias UMOUNT=/bin/umount
Cmnd_Alias UMOUNT=/bin/umount
# User privilege specification
# User privilege specification
root ALL=(ALL) ALL
root ALL=(ALL:ALL) ALL
ALL ALL=NOPASSWD: UMOUNT
ALL ALL=NOPASSWD: UMOUNT
# Allow members of group sudo to execute any command
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%sudo ALL=(ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#
#includedir /etc/sudoers.d
#includedir /etc/sudoers.d
* /etc/pam.d/common-auth (replace contents with the following)
*Open and edit /etc/pam.d/common-auth (replace contents with the following)
## allow users with valid unix account or valid winbind account
## allow users with valid unix account or valid winbind account
# success=3 jumps over the next 3 commands
# success=3 jumps over the next 3 commands
auth required pam_group.so
auth required pam_group.so
* /etc/pam.d/common-session (replace contents with the following)
*Open and edit /etc/pam.d/common-session (replace contents with the following)
#
#
# /etc/pam.d/common-session - session-related modules common to all services
# /etc/pam.d/common-session - session-related modules common to all services
session optional pam_mount.so
session optional pam_mount.so
* /etc/pam.d/gdm3 (replace contents with the following)
*Open and edit /etc/pam.d/gdm3 (replace contents with the following)
#%PAM-1.0
#%PAM-1.0
auth requisite pam_nologin.so
auth requisite pam_nologin.so
*Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
*Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Debian client workstation.
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
* /etc/security/pam_mount.conf.xml
*Open and edit /etc/security/pam_mount.conf.xml
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
Insert the following under <nowiki><!-- Volume definitions --></nowiki>
<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
<volume sgrp=”nethome-group” fstype="cifs" server="SMESERVER" path="homes" mountpoint="~" options="nosuid,nodev,nounix,file_mode=0640,dir_mode=0700" />
=== Automount Ibays at Login===
=== Automount Ibays at Login===
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
*Open and edit /etc/security/pam_mount.conf.xml and add a line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
wbinfo -g
wbinfo -g
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
* /etc/security/group.conf
*Open and edit /etc/security/group.conf
Insert the following at the end of the file:
Insert the following at the end of the file:
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
* ; * ; * ; Al0000-2400 ; floppy, video, audio, cdrom, dip, plugdev, users, scanner
# /etc/init.d/winbind restart
# /etc/init.d/winbind restart
* Log-out and log-in as domain user.
* Log-out and log-in as domain user.
===References===
===References===
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#basic configuration: http://www.buechse.de/HOWTO/samba_pam_mount_sshd/
#basic configuration update: http://ubuntuforums.org/showthread.php?t=2060625&highlight=authentication
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#sound: http://ubuntuforums.org/showpost.php?p=1559682&postcount=7
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
#GNOME and libpam-mount: http://www.debian-administration.org/users/dkg/weblog/30
