Changes

From SME Server
Jump to navigationJump to search
no edit summary
Line 45: Line 45:     
===Managing the CA on SME===
 
===Managing the CA on SME===
after having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine .
+
==PHPKi==
 +
 
 +
After having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine.
    
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
 
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
 
  cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/
 
  cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/
 
  chmod 644 /etc/ssl/certs/ca-certificates.crt
 
  chmod 644 /etc/ssl/certs/ca-certificates.crt
 +
 +
==Letsencrypt==
 +
 +
If you use Letsencypt for your certificates then your client machine should already have the ca-certificate for letsencrypt installed
 +
 +
You should be able to set the following in sssd.conf
 +
 +
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
    
===Configure SSSD===
 
===Configure SSSD===
Line 72: Line 82:  
   
 
   
 
  [pam]
 
  [pam]
+
 
 
  [domain/LDAP]
 
  [domain/LDAP]
 +
# Debug is now per domain
 +
# Debug level can be 0-10 for simple levels,
 +
# or for more control hex values Format is 0xXXXX
 +
# 1 = 0x0010 2 = 0x0020 3 = 0x040 4 = 0x080 5 = 0x0100 6 = 0x0200
 +
# see man sssd for more
 +
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-troubleshooting
 +
debug_level = 3
 
  id_provider = ldap
 
  id_provider = ldap
 
  auth_provider = ldap
 
  auth_provider = ldap
Line 110: Line 127:     
===Configure the system to use SSSD as a source of authentication:===
 
===Configure the system to use SSSD as a source of authentication:===
Setup to use the tool auth-client-config:
+
Setup to use the tool auth-client-config.
 +
 
 +
{{Tip box|If you intend to automatically mount shares please see the Mount Shares section below and add the relevant sections to pam_auth and pam_session here first. You may also want the section in System Permissions }}
    
We can copy and paste in a terminal to add following lines:
 
We can copy and paste in a terminal to add following lines:
Line 147: Line 166:  
  sudo auth-client-config -a -p sss
 
  sudo auth-client-config -a -p sss
   −
Now you should be able to reboot and login as a LDAP member
+
Now you should be able to reboot and login as a LDAP member.
 +
 
 +
We should be able to restore the original pam config files with
 +
 
 +
sudo auth-client-config -a -p sss -r
 +
 
 +
 
 +
==Desktop Setup==
 +
 
 +
{{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
 +
 
 +
===Sudoers===
 +
 
 +
Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
 +
 
 +
So that domain users have sudo rights we need to add this group to /etc/sudoers
 +
 
 +
NOTE - use visudo so you do not break this file ! :
 +
 
 +
sudo visudo
 +
 
 +
Add this:
 +
%cliadmins ALL=(ALL) ALL
 +
 
 +
 
 +
===System Permissions & PolicyKit===
 +
 
 +
I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss
 +
 
 +
pam_session=
 +
                session        optional                        pam_systemd.so
 +
 
 +
Check if you run Policykit (most likely):
 +
 
 +
pgrep -lf polkit
 +
 
 +
To allow admin access on the desktop we need to edit the following file:
 +
/var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
 +
 
 +
Add the following to sections as required:
 +
 
 +
Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
 +
 
 +
Sections:
 +
 
 +
[Mounting, checking, etc. of internal drives]
 +
[Setting the clock]
 +
[Adding or changing system-wide NetworkManager connections]
 +
[Update already installed software]
 +
[usb-creator]
 +
[Printer administration]
 +
[Modify error reporting settings]
 +
 
 +
===LightDM Login Box===
 +
 
 +
If you want to have a simple login box with manual login only you can do the following:
 +
 
 +
create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf
 +
 
 +
Add the following:
 +
 
 +
[SeatDefaults]
 +
greeter-show-manual-login=true
 +
greeter-hide-users=true
 +
 
 +
===Mount Shares===
 +
 
 +
{{Note box|The following page is worth a read https://wiki.contribs.org/Smeserver-tw-logonscript#Linux_client_integration
 +
It is possible to create a simple local pam_mount.conf.xml file and then load a per user config from the server}}
 +
 
 +
If you can successfully login with a domain account you can now try and automatically mounts shares.
 +
 
 +
You will require at least cif-utils and libpam-mount
 +
 
 +
sudo apt-get install libpam-mount cifs-utils
 +
 
 +
In the above file /etc/auth-client-config/profile.d/sss
 +
 
 +
We need to add the following to the sections for:
 +
 
 +
pam_auth=
 +
                auth          optional                        pam_mount.so    enable_pam_password
 +
 
 +
pam_session=
 +
                session          optional                        pam_mount.so    enable_pam_password
 +
 
 +
 
 +
 
 +
We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml
 +
 
 +
Note: you can exclude local users from mounting directories with sgrp setting. You MAY need need nounix in mntoptions (needs testing)
 +
 
 +
Add the following:
 +
 
 +
cat <<'_EOF' >/etc/security/pam_mount.conf.xml
 +
<pam_mount>
 +
<debug        enable  = "0" />
 +
<mntoptions  allow  = "nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,noexec" />
 +
<mntoptions  require = "nosuid,nodev,noexec" />
 +
<logout      wait    = "5" hup    = "0"    term="yes" kill="0" />
 +
<mkmountpoint enable  = "1" remove = "true" />
 +
<!-- Personal Directory-->
 +
<volume fstype    = "cifs"
 +
        server    = "sme.server.com"
 +
        path      = "%(USER)"
 +
        mountpoint = "/home/e-smith/files/users/%(USER)/Partages/Personnel"
 +
        options    = "uid=%(USER),nosuid,nodev,noexec"
 +
        user      = "*"
 +
        sgrp      = "admins"/>
 +
  <!-- General Directory-->
 +
<volume fstype    = "cifs"
 +
        server    = "sme.server.com"
 +
        path      = "artwork"
 +
        mountpoint = "/home/e-smith/files/users/%(USER)/Mounts/artwork"
 +
        options    = "uid=%(USER),nosuid,nodev,noexec"
 +
        user      = "*"
 +
        sgrp      = "admins"/>
 +
</pam_mount>
 +
_EOF
 +
 
 +
You may need to add a 'sec' option like this:
 +
 
 +
options    = "uid=%(USER),nosuid,nodev,noexec,sec=ntlmssp,vers=1.0"
 +
 
 +
Now when you login as a domain user your shares should mount and you should have full sudo access.
 +
 
 +
==Miscellaneous Notes==
 +
 
 +
===Local password required for sudo===
 +
 
 +
One irritation that I have seen is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.
 +
 
 +
I believe adding your new group to the following file will then present you with a list of users who can authenticate:
 +
 
 +
/etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf
 +
 
 +
[Configuration]
 +
AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:cliadmins
 +
 
 +
It will present an 'Authenticate' box with a list of users - I have not yet found how to just accept the password for the current logged in user (as per normal case for standalone user). Most likely it requires a modification to lightdm similar to above.
 +
 
 +
===pam_winbind===
 +
 
 +
You may get the following error:
 +
 
 +
PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
 +
 
 +
This is due to a file location issue. You can resolve this error by doing the following:
 +
 
 +
cd /lib;ln -s /lib/x86_64-linux-gnu/security security
 +
 
 +
===pam_kwallet===
 +
 
 +
If you do not use kwallet and get annoyed by this message:
 +
 
 +
PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
 +
 
 +
edit /etc/pam.d/lightdm and lightdm-greeter and comment lines containing the following:
 +
 
 +
pam_kwallet.so
 +
 
 +
 
 +
Wish I knew all this a week ago !
    
[[Category:Howto]]
 
[[Category:Howto]]

Navigation menu