47
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:CentOS (view source)
Revision as of 19:40, 14 February 2015
, 19:40, 14 February 2015New Page
{{Warning box|This is based upon limited testing and a small number of users.}}
==Client Configuration==
===Introduction===
The following is CentOS 7 ( standard gnome edition) desktop configuration for SME Server 9 authentication using Samba and Winbind. It allows login via the standard CentOS login screen.
===Install CentOS 7===
*Download the CentOS 7 .iso and install. During the install process change the hostname to something of your choice and your domain name.
<HOSTNAME>.<yourdomain>.<yourtld>
{{Tip box| Make sure you set the <HOSTNAME> to something less than 15 characters.
The hostname can be set during the Installation Summary section of the install procedure by selecting Network & Hostname.
When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.}}
*When the install has finished, remove the media and reboot. A gui welcome startup process then completes the setup and installation.
*Complete install, login and apply all updates. Logout and Restart.
{{Note box| There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.}}
===Additional Packages===
*Open the Terminal and use "su" to log in as root user.
*Use "yum" at the Terminal to install the additional packages.
*If you prefer to use a graphical package manager then install the "Yum Extender" from the Software" package.
*The following shows how to install using yum at the Terminal, the package names are the same if you use the gui.
*First of all we need to add the EPEL repository
On 64-Bit
rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
*Now add the Nux Dextop repository
*As the first step, import the official GPG key of Nux Dextop repository
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
*Now install Nux Dextop repository
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
*We can verify that the repositories have installed succesfully by:
yum repolist
*Now we can add the extra packages
yum install pam_mount policycoreutils-gui authconfig-gtk samba samba-winbind samba-winbind-clients
===Firewall Modifications===
*Search for and open “Firewall” and tick
samba
samba-client
as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.
===SELinux Administration===
*Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Administration” (not Management)
*On the "Status" menu select the "System Default Enforcing Mode" to "Disabled".
===Samba Modifications===
At the Terminal and still as root user, run the following two commands.
systemctl enable smb.service
systemctl start smb.service
*Search for and open “Authentication”. This will open the Authentication Configuration dialogue.
{{Tip box| Do not press the “Join Domain” button until you have completed the changes to all of the Authentication Configuration dialogue boxes as detailed below.}}
*On the Identity & Authentication tab select Winbind as the User Account Database.
*Complete the dialogue box as follows:
Winbind Domain - this is the Windows Workgroup name for your SME Server
Security Model - set this to domain
Winbind Domain Controllers - this is the IP Address of your SME Server
Template shell - set this to /bin/bash
Allow offline login - tick
*On the Advanced Options tab
Enable local access control - tick
Password hashing Algorithm - MD5
Create home directories on first login - tick
*Password options tab.
No configuration changes changes on this tab are necessary
*Change back to the Identity & Authentication tab.
*Click on “Join Domain” button and save changes when prompted. Enter 'admin' as the Domain Administrator and then enter your SME Server 'admin' password. Click “OK”, then click “Apply” on the Identity & Authentication tab.
*Open the Terminal and 'su' to root if not already done.
*Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below, some lines may not exist and may need to be added – see comments in ( )
:Replace <WORKGROUP> below with the 'Windows Workgroup' name of your SME Server.
:Replace <ip of sme server> below with the ip address of your SME Server.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2015/02/14 13:54:12
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = <WORKGROUP>
; password server = <ip of sme server> (not required – leave as is but comment out)
security = domain
idmap config * : backend = tdb (add this line)
idmap config * : range = 16777216-33554431 (leave whatever range is set by default)
idmap config DOMAIN : backend = rid (add his line)
idmap config DOMAIN : range = 10000-49999 (add this line)
idmap config DOMAIN : base_rid = 1000 (add this line)
template shell = /bin/bash
; kerberos method = secrets only (comment out if this line exists)
winbind use default domain = yes (change this from false)
winbind offline logon = true
wins server = <ip of sme server> (add all of the following lines)
name resolve order = wins host lmhosts bcast
socket options = TCP_NODELAY
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
obey pam restrictions = yes
pam password change = yes
hostname lookups = yes
#--authconfig--end-line--
{{Note box| If you run the 'Authentication' tool again your amendments will be lost}}
*To check validation of smb.conf, run
testparm
*The 'Join Domain' above should also have worked so to list users, groups and available shares respectively from the SME server, test with
wbinfo -u
wbinfo -g
smbtree
:If it doesn't appear to have worked then run
net rpc join -D <WORKGROUP> -U admin
:Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
===Authentication Modifications===
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
*Open, check and edit as necessary /etc/nsswitch.conf. The following 4 lines exist but all require amendment – see the comments in ( ). Close and Save.
passwd: files winbind (remove “sss”)
shadow: files winbind (remove “sss”)
group: files winbind (remove “sss”)
hosts: files dns wins (ensure the order is correct – put wins at the end)
*Open and edit the /etc/pam.d/system-auth file, and amend as below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth optional pam_mount.so enable_pam_password
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
session optional pam_mount.so enable_pam_password
{{Note box| The following two lines were added to the system-auth file:
auth optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password}}
*Open and edit the /etc/pam.d/password-auth file, and amend as below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth optional pam_mount.so enable_pam_password
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
session optional pam_mount.so enable_pam_password
{{Note box| The following two lines were added to the password-auth file:
auth optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password}}
*Open and edit the /etc/pam.d/gdm-password file, and amend as below:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth optional pam_mount.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
session optional pam_mount.so
{{Note box| The following two lines were added to the gdm-password file:
auth optional pam_mount.so
session optional pam_mount.so}}
===Automount User Home Directories at Login===
*Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Fedora client workstation.
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
=== Automount Ibays at Login===
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
wbinfo -g
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
===Login and Test===
*Exit the Terminal cli
*Logout, and Restart Fedora.
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
===Password Changes===
User password changes made through the web browser (www.yourdomain.xxx/user-password) are implemented correctly. The new password also being recognised when logging in away from the SME Server network i.e. off-line cached login, particularly useful for business laptops.
----
[[Category:Howto]]
[[Category:Administration]]
==Client Configuration==
===Introduction===
The following is CentOS 7 ( standard gnome edition) desktop configuration for SME Server 9 authentication using Samba and Winbind. It allows login via the standard CentOS login screen.
===Install CentOS 7===
*Download the CentOS 7 .iso and install. During the install process change the hostname to something of your choice and your domain name.
<HOSTNAME>.<yourdomain>.<yourtld>
{{Tip box| Make sure you set the <HOSTNAME> to something less than 15 characters.
The hostname can be set during the Installation Summary section of the install procedure by selecting Network & Hostname.
When creating a user account, give a non SME Server user such as 'administrator' as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open the Terminal (cli) and 'su' to root to carry out most of the authentication setup later.}}
*When the install has finished, remove the media and reboot. A gui welcome startup process then completes the setup and installation.
*Complete install, login and apply all updates. Logout and Restart.
{{Note box| There may be a lot of updates, it is recommended to apply them all but ensure the security fixes are applied as a minimum.}}
===Additional Packages===
*Open the Terminal and use "su" to log in as root user.
*Use "yum" at the Terminal to install the additional packages.
*If you prefer to use a graphical package manager then install the "Yum Extender" from the Software" package.
*The following shows how to install using yum at the Terminal, the package names are the same if you use the gui.
*First of all we need to add the EPEL repository
On 64-Bit
rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
*Now add the Nux Dextop repository
*As the first step, import the official GPG key of Nux Dextop repository
rpm --import http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
*Now install Nux Dextop repository
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
*We can verify that the repositories have installed succesfully by:
yum repolist
*Now we can add the extra packages
yum install pam_mount policycoreutils-gui authconfig-gtk samba samba-winbind samba-winbind-clients
===Firewall Modifications===
*Search for and open “Firewall” and tick
samba
samba-client
as trusted services. Do not forget to select “Permanent” in the configuration drop down box first otherwise the changes will apply to the current session only.
===SELinux Administration===
*Search for and open “SELinux Management” - note that the screen which opens is titled “SELinux Administration” (not Management)
*On the "Status" menu select the "System Default Enforcing Mode" to "Disabled".
===Samba Modifications===
At the Terminal and still as root user, run the following two commands.
systemctl enable smb.service
systemctl start smb.service
*Search for and open “Authentication”. This will open the Authentication Configuration dialogue.
{{Tip box| Do not press the “Join Domain” button until you have completed the changes to all of the Authentication Configuration dialogue boxes as detailed below.}}
*On the Identity & Authentication tab select Winbind as the User Account Database.
*Complete the dialogue box as follows:
Winbind Domain - this is the Windows Workgroup name for your SME Server
Security Model - set this to domain
Winbind Domain Controllers - this is the IP Address of your SME Server
Template shell - set this to /bin/bash
Allow offline login - tick
*On the Advanced Options tab
Enable local access control - tick
Password hashing Algorithm - MD5
Create home directories on first login - tick
*Password options tab.
No configuration changes changes on this tab are necessary
*Change back to the Identity & Authentication tab.
*Click on “Join Domain” button and save changes when prompted. Enter 'admin' as the Domain Administrator and then enter your SME Server 'admin' password. Click “OK”, then click “Apply” on the Identity & Authentication tab.
*Open the Terminal and 'su' to root if not already done.
*Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below, some lines may not exist and may need to be added – see comments in ( )
:Replace <WORKGROUP> below with the 'Windows Workgroup' name of your SME Server.
:Replace <ip of sme server> below with the ip address of your SME Server.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2015/02/14 13:54:12
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = <WORKGROUP>
; password server = <ip of sme server> (not required – leave as is but comment out)
security = domain
idmap config * : backend = tdb (add this line)
idmap config * : range = 16777216-33554431 (leave whatever range is set by default)
idmap config DOMAIN : backend = rid (add his line)
idmap config DOMAIN : range = 10000-49999 (add this line)
idmap config DOMAIN : base_rid = 1000 (add this line)
template shell = /bin/bash
; kerberos method = secrets only (comment out if this line exists)
winbind use default domain = yes (change this from false)
winbind offline logon = true
wins server = <ip of sme server> (add all of the following lines)
name resolve order = wins host lmhosts bcast
socket options = TCP_NODELAY
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
obey pam restrictions = yes
pam password change = yes
hostname lookups = yes
#--authconfig--end-line--
{{Note box| If you run the 'Authentication' tool again your amendments will be lost}}
*To check validation of smb.conf, run
testparm
*The 'Join Domain' above should also have worked so to list users, groups and available shares respectively from the SME server, test with
wbinfo -u
wbinfo -g
smbtree
:If it doesn't appear to have worked then run
net rpc join -D <WORKGROUP> -U admin
:Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
===Authentication Modifications===
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live DVD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
*Open, check and edit as necessary /etc/nsswitch.conf. The following 4 lines exist but all require amendment – see the comments in ( ). Close and Save.
passwd: files winbind (remove “sss”)
shadow: files winbind (remove “sss”)
group: files winbind (remove “sss”)
hosts: files dns wins (ensure the order is correct – put wins at the end)
*Open and edit the /etc/pam.d/system-auth file, and amend as below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth optional pam_mount.so enable_pam_password
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
session optional pam_mount.so enable_pam_password
{{Note box| The following two lines were added to the system-auth file:
auth optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password}}
*Open and edit the /etc/pam.d/password-auth file, and amend as below:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_winbind.so cached_login use_first_pass
auth optional pam_mount.so enable_pam_password
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_winbind.so cached_login
session optional pam_mount.so enable_pam_password
{{Note box| The following two lines were added to the password-auth file:
auth optional pam_mount.so enable_pam_password
session optional pam_mount.so enable_pam_password}}
*Open and edit the /etc/pam.d/gdm-password file, and amend as below:
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth optional pam_gnome_keyring.so
auth optional pam_mount.so
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
session optional pam_gnome_keyring.so auto_start
session include postlogin
session optional pam_mount.so
{{Note box| The following two lines were added to the gdm-password file:
auth optional pam_mount.so
session optional pam_mount.so}}
===Automount User Home Directories at Login===
*Create a new group in SME Server with a Group Name of “nethome” and a Description of “nethome-group”. Add all SME Server users to this group, or at least all SME Server users who will be using the SME Server to authenticate a Fedora client workstation.
{{Note box| The names “nethome” and “nethome-group” can, of course be anything you like, these are just my example for the purpose of this HowTo. They are, however, a sensible choice as we are going to use a mount point called “nethome” but again this mount point name can be anything you want.}}
*Open and edit /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="nethome-group" fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
*Replace <SMESERVER> above with the samba name of your SME Server. This will mount the users 'home' directory from SME Server into a directory called 'nethome' in their local home directory.
=== Automount Ibays at Login===
*Edit /etc/security/pam_mount.conf.xml and add a line below the header
<nowiki><!-- Volume Definitions --> </nowiki>
<volume sgrp="<GROUPNAME>" fstype="cifs" server="<SMESERVER>" path="<IBAYNAME>" mountpoint="~/<IBAYNAME>" options="user=%(DOMAIN_USER),setuids,acl" />
*Replace <SMESERVER> with the samba name of your SME server, <IBAYNAME> with the ibay name, <GROUPNAME> with the '''[[description]]''' of the ibay owner group. The description can be recovered with
wbinfo -g
{{Note box| The sgrp param is optional. If used, ibay will be mounted only if %(DOMAIN_USER) is a member of ibay's owner group}}
===Login and Test===
*Exit the Terminal cli
*Logout, and Restart Fedora.
*Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
*Authentication against SME Server should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server.
===Password Changes===
User password changes made through the web browser (www.yourdomain.xxx/user-password) are implemented correctly. The new password also being recognised when logging in away from the SME Server network i.e. off-line cached login, particularly useful for business laptops.
----
[[Category:Howto]]
[[Category:Administration]]
