Line 82: |
Line 82: |
| | | |
| [pam] | | [pam] |
− |
| + | |
| [domain/LDAP] | | [domain/LDAP] |
| + | # Debug is now per domain |
| + | # Debug level can be 0-10 for simple levels, |
| + | # or for more control hex values Format is 0xXXXX |
| + | # 1 = 0x0010 2 = 0x0020 3 = 0x040 4 = 0x080 5 = 0x0100 6 = 0x0200 |
| + | # see man sssd for more |
| + | # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sssd-troubleshooting |
| + | debug_level = 3 |
| id_provider = ldap | | id_provider = ldap |
| auth_provider = ldap | | auth_provider = ldap |
Line 120: |
Line 127: |
| | | |
| ===Configure the system to use SSSD as a source of authentication:=== | | ===Configure the system to use SSSD as a source of authentication:=== |
− | Setup to use the tool auth-client-config: | + | Setup to use the tool auth-client-config. |
| + | |
| + | {{Tip box|If you intend to automatically mount shares please see the Mount Shares section below and add the relevant sections to pam_auth and pam_session here first. You may also want the section in System Permissions }} |
| | | |
| We can copy and paste in a terminal to add following lines: | | We can copy and paste in a terminal to add following lines: |
Line 163: |
Line 172: |
| sudo auth-client-config -a -p sss -r | | sudo auth-client-config -a -p sss -r |
| | | |
− | ===Miscellaneous===
| |
| | | |
− | You may get the following error:
| + | ==Desktop Setup== |
| + | |
| + | {{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}} |
| + | |
| + | ===Sudoers=== |
| + | |
| + | Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine. |
| + | |
| + | So that domain users have sudo rights we need to add this group to /etc/sudoers |
| + | |
| + | NOTE - use visudo so you do not break this file ! : |
| + | |
| + | sudo visudo |
| + | |
| + | Add this: |
| + | %cliadmins ALL=(ALL) ALL |
| + | |
| + | |
| + | ===System Permissions & PolicyKit=== |
| + | |
| + | I also found to enable shutdown/restart, network indicator etc I had to add this to /etc/auth-client-config/profile.d/sss |
| + | |
| + | pam_session= |
| + | session optional pam_systemd.so |
| + | |
| + | Check if you run Policykit (most likely): |
| + | |
| + | pgrep -lf polkit |
| + | |
| + | To allow admin access on the desktop we need to edit the following file: |
| + | /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla |
| | | |
− | PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
| + | Add the following to sections as required: |
| | | |
− | This is due to a file location issue. You can resolve this error by doing the following:
| + | Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins |
| | | |
− | cd /lib;ln -s /lib/x86_64-linux-gnu/security security
| + | Sections: |
| | | |
− | [[Category:Howto]] | + | [Mounting, checking, etc. of internal drives] |
| + | [Setting the clock] |
| + | [Adding or changing system-wide NetworkManager connections] |
| + | [Update already installed software] |
| + | [usb-creator] |
| + | [Printer administration] |
| + | [Modify error reporting settings] |
| | | |
− | ===Mount Shares=== | + | ===LightDM Login Box=== |
| | | |
− | {{Warning box|msg=This seems to work on my Xubuntu Trusty 14.04 but YMMV!}}
| + | If you want to have a simple login box with manual login only you can do the following: |
| | | |
− | If you can successfully login with a domain account you can now try and automatically mounts shares.
| + | create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf |
| | | |
− | You will require at least cif-utils and libpam_mount
| + | Add the following: |
| | | |
− | sudo apt-get install libpam_mount cifs-utils | + | [SeatDefaults] |
| + | greeter-show-manual-login=true |
| + | greeter-hide-users=true |
| | | |
− | Create a 'cliadmins' group on the server. This will be used to identify domain users to the desktop machine.
| + | ===Mount Shares=== |
| | | |
− | So that domain users have sudo rights we need to add this group to /etc/sudoers
| + | {{Note box|The following page is worth a read https://wiki.contribs.org/Smeserver-tw-logonscript#Linux_client_integration |
| + | It is possible to create a simple local pam_mount.conf.xml file and then load a per user config from the server}} |
| | | |
− | NOTE - use visudo so you do not break this file ! :
| + | If you can successfully login with a domain account you can now try and automatically mounts shares. |
| | | |
− | sudo visudo
| + | You will require at least cif-utils and libpam-mount |
| | | |
− | Add this:
| + | sudo apt-get install libpam-mount cifs-utils |
− | %cliadmins ALL=(ALL) ALL | |
| | | |
| In the above file /etc/auth-client-config/profile.d/sss | | In the above file /etc/auth-client-config/profile.d/sss |
Line 200: |
Line 246: |
| We need to add the following to the sections for: | | We need to add the following to the sections for: |
| | | |
− | pam_auth= | + | pam_auth= |
− | pam_session= | + | auth optional pam_mount.so enable_pam_password |
| + | |
| + | pam_session= |
| + | session optional pam_mount.so enable_pam_password |
| | | |
− | auth optional pam_mount.so enable_pam_password
| |
| | | |
− | Now we need this:
| |
| | | |
− | touch /etc/security/pam_mount.conf.xml
| + | We now need to setup global mounts for all users with /etc/security/pam_mount.conf.xml |
| | | |
| Note: you can exclude local users from mounting directories with sgrp setting. You MAY need need nounix in mntoptions (needs testing) | | Note: you can exclude local users from mounting directories with sgrp setting. You MAY need need nounix in mntoptions (needs testing) |
Line 213: |
Line 260: |
| Add the following: | | Add the following: |
| | | |
| + | cat <<'_EOF' >/etc/security/pam_mount.conf.xml |
| <pam_mount> | | <pam_mount> |
| <debug enable = "0" /> | | <debug enable = "0" /> |
Line 227: |
Line 275: |
| user = "*" | | user = "*" |
| sgrp = "admins"/> | | sgrp = "admins"/> |
− | <!-- General Directory-->
| + | <!-- General Directory--> |
| <volume fstype = "cifs" | | <volume fstype = "cifs" |
| server = "sme.server.com" | | server = "sme.server.com" |
Line 236: |
Line 284: |
| sgrp = "admins"/> | | sgrp = "admins"/> |
| </pam_mount> | | </pam_mount> |
| + | _EOF |
| | | |
− | ===== PolicyKit =====
| + | You may need to add a 'sec' option like this: |
| | | |
− | Check if you run Policykit (most likely):
| + | options = "uid=%(USER),nosuid,nodev,noexec,sec=ntlmssp,vers=1.0" |
| | | |
− | pgrep -lf polkit
| + | Now when you login as a domain user your shares should mount and you should have full sudo access. |
| | | |
− | To allow admin access on the desktop including the ability to shutdown/reboot etc we need to edit the following file:
| + | ==Miscellaneous Notes== |
− | /var/lib/polkit-1/localauthority/10-vendor.d/com.ubuntu.desktop.pkla
| |
| | | |
− | Add the following to sections as required:
| + | ===Local password required for sudo=== |
| | | |
− | Identity=unix-group:admin;unix-group:sudo;unix-group:cliadmins
| + | One irritation that I have seen is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user. |
| | | |
− | Sections:
| + | I believe adding your new group to the following file will then present you with a list of users who can authenticate: |
| | | |
− | [Mounting, checking, etc. of internal drives]
| + | /etc/polkit-1/localauthority.conf.d/51-ubuntu-admin.conf |
− | [Setting the clock]
| |
− | [Adding or changing system-wide NetworkManager connections]
| |
− | [Update already installed software]
| |
− | [usb-creator]
| |
− | [Printer administration]
| |
− | [Modify error reporting settings]
| |
| | | |
− | Now when you login as a domain user your shares should mount and you should have full sudo access.
| + | [Configuration] |
| + | AdminIdentities=unix-group:sudo;unix-group:admin;unix-group:cliadmins |
| | | |
− | One irritation that I have seen that I cannot find a way round is that when you run a program requiring sudo e.g. Synaptic it may ask you for the password of a LOCAL user, not the domain user.
| + | It will present an 'Authenticate' box with a list of users - I have not yet found how to just accept the password for the current logged in user (as per normal case for standalone user). Most likely it requires a modification to lightdm similar to above. |
| | | |
− | ====LightDM Login Box==== | + | ===pam_winbind=== |
| | | |
− | If you want to have a simple login box with manual login only you can do the following:
| + | You may get the following error: |
| | | |
− | create /etc/lightdm/lightdm.conf.d/50-unity-greeter.conf
| + | PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory |
| | | |
− | Add the following:
| + | This is due to a file location issue. You can resolve this error by doing the following: |
| | | |
− | [SeatDefaults] | + | cd /lib;ln -s /lib/x86_64-linux-gnu/security security |
− | greeter-show-manual-login=true
| |
− | greeter-hide-users=true
| |
| | | |
− | ====Miscellaneous Notes==== | + | ===pam_kwallet=== |
| | | |
| If you do not use kwallet and get annoyed by this message: | | If you do not use kwallet and get annoyed by this message: |
Line 282: |
Line 323: |
| PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory | | PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory |
| | | |
− | edit /etc/pam.d/lightdm and comment the following lines | + | edit /etc/pam.d/lightdm and lightdm-greeter and comment lines containing the following: |
| | | |
− | # auth optional pam_kwallet.so | + | pam_kwallet.so |
− | # auth optional pam_kwallet.so
| |
| | | |
| | | |
| Wish I knew all this a week ago ! | | Wish I knew all this a week ago ! |
| + | |
| + | [[Category:Howto]] |