41
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Fedora via sssd/ldap (view source)
Revision as of 21:55, 27 October 2015
, 21:55, 27 October 2015no edit summary
Line 44:
Line 44:
+
+
+
+
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
−Place a copy of it into /etc/phpki/tls/certs/ and give the 644 permissions:
+Place a copy of it or of another CA into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
chmod 644 /etc/phpki/tls/certs/ca.crt
Line 98:
Line 98:
chmod 600 /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
+
+{{Tip box|Make sure that the file /etc/pki/tls/certs/ca.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
===Start and enable the daemon sssd===
===Start and enable the daemon sssd===
Line 134:
Line 136:
gpasswd -a <your ldap login> wheel}}
gpasswd -a <your ldap login> wheel}}
+=== Automount of the ibays and of the user folders ===
+* Make sure that both rpms pam_mount and cifs-utils are installed
+ sudo dnf install pam_mount, cifs-utils
+* Modify /etc/pam.d/lightdm (can be /etc/pam.d/gdm-password by Gnome instead of XFCE) as follow:
+ #%PAM-1.0
+ auth [success=done ignore=ignore default=bad]
+ dpam_selinux_permit.so
+ auth required pam_env.so
+ auth substack system-auth
+ -auth optional pam_gnome_keyring.so
+ -auth optional pam_kwallet.so
+ auth optional pam_mount.so
+ auth include postlogin
+ account required pam_nologin.so
+ account include system-auth
+ password include system-auth
+ session required pam_selinux.so close
+ session required pam_loginuid.so
+ session optional pam_console.so
+ -session optional pam_ck_connector.so
+ session required pam_selinux.so open
+ session optional pam_keyinit.so force revoke
+ session required pam_namespace.so
+ -session optional pam_gnome_keyring.so auto_start
+ -session optional pam_kwallet.so
+ session include system-auth
+ session optional pam_lastlog.so silent
+ session optional pam_mount.so
+ session include postlogin
+by adding:
+ session optional pam_mount.so
+ session include postlogin
+at the end of the file.
+* Edit the /etc/security/pam_mount.conf.xml file. Find the 'Volume Definitions' section and add after it:
+ <volume fstype="cifs" server="192.168.2.5" path="ibay1" mountpoint="/media/sme/ibay1" user="*" options="rw,auto,iocharset=utf8" />
+ <volume fstype="cifs" server="192.168.2.5" path="ibay2" mountpoint="/media/sme/ibay2" user="*" options="rw,auto,iocharset=utf8" />
+ <!-- .........etc....etc... -->
+ <volume fstype="cifs" server="192.168.2.5" path="%(USER)" mountpoint="/media/sme/%(USER)/" user="*" options="rw,auto,iocharset=utf8" />
+* Create all the above configured the mount points:
+ sudo mkdir /media/sme/ibay1
+ sudo chmod 777 /media/sme/ibay1
+ sudo mkdir /media/sme/ibay2
+ sudo chmod 777 /media/sme/ibay2
+ etc...
+ sudo mkdir /media/sme/user1
+ sudo chmod 777 /media/sme/user1
+ sudo mkdir /media/sme/user2
+ sudo chmod 777 /media/sme/user2
+ etc...
+
+{{note box|With Fedora21, it was possible only the create and chmod777 /media/sme. The different mount points (ibay1, ibay2 etc...) have been created automatically by Fedora at the mounting operation. // It seem that this is not possible any more!!
+Please inform us, if there is a way to get it again.}}
+{{note box|Event if all the mount points are created, the several shares (ibays and user folders) are only mounted according to the permissions of the user.}}
+{{note box|The shares are automatically unmounted when the user loggs out.}}
That's all.
That's all.
Enjoy!
Enjoy!
[[Category:Howto]]
[[Category:Howto]]
