Difference between revisions of "Client Authentication:Fedora"
Line 36: | Line 36: | ||
{{Tip box| Do not press the 'Join Domain' button until you have completed the changes below on all three of the dialogue tabs}} | {{Tip box| Do not press the 'Join Domain' button until you have completed the changes below on all three of the dialogue tabs}} | ||
On the 'User Information' tab tick 'Enable Winbind Support' and press the 'Configure Winbind ' button. | On the 'User Information' tab tick 'Enable Winbind Support' and press the 'Configure Winbind ' button. | ||
− | A 'Winbind Configuration' dialogue opens. | + | |
− | Complete the boxes with the relevant information | + | A 'Winbind Configuration' dialogue opens. Complete the boxes with the relevant information |
Winbind Domain - this is the Windows Workgroup name for your SME Server | Winbind Domain - this is the Windows Workgroup name for your SME Server | ||
Security - set this to domain | Security - set this to domain | ||
Winbind Domain Controllers - this is the ip address of your SME server | Winbind Domain Controllers - this is the ip address of your SME server | ||
Template Shell - set this to /bin/bash | Template Shell - set this to /bin/bash | ||
+ | Allow Offline Login - tick | ||
Press OK and change to the 'Authentication' tab. Check 'Enable Winbind Support' is ticked and press the 'Configure Winbind' button. | Press OK and change to the 'Authentication' tab. Check 'Enable Winbind Support' is ticked and press the 'Configure Winbind' button. | ||
+ | |||
A 'Winbind Settings' dialogue opens. Check the values are the same as above and press OK. | A 'Winbind Settings' dialogue opens. Check the values are the same as above and press OK. | ||
+ | |||
Change to the Options tab and check the following are ticked or set | Change to the Options tab and check the following are ticked or set | ||
Use Shadow Passwords | Use Shadow Passwords | ||
Line 49: | Line 52: | ||
Local Authorization is sufficient for local users | Local Authorization is sufficient for local users | ||
Create Home directories on first login | Create Home directories on first login | ||
− | Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain' | + | Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'. |
+ | |||
Close this application down. | Close this application down. | ||
− | Open an 'Applications - Accessories - Terminal' cli and | + | Open an 'Applications - Accessories - Terminal' cli and 'su' to root |
− | Open and edit /etc/samba/smb.conf. | + | Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below. Some lines may not exist and may need to be added. |
workgroup = <WORKGROUP> | workgroup = <WORKGROUP> | ||
+ | password server = <ip of sme server> | ||
+ | security = domain | ||
+ | idmap uid = <whatever range is set> | ||
+ | idmap gid = <whatever range is set> | ||
+ | template shell = /bin/bash | ||
+ | winbind use default domain = yes (you will probably need to change this from false) | ||
+ | winbind offline logo n = true | ||
wins server = <ip of sme server> | wins server = <ip of sme server> | ||
name resolve order = wins host lmhosts bcast | name resolve order = wins host lmhosts bcast | ||
− | |||
− | |||
socket options = TCP_NODELAY | socket options = TCP_NODELAY | ||
− | |||
− | |||
− | |||
template homedir = /home/%D/%U | template homedir = /home/%D/%U | ||
winbind enum users = yes | winbind enum users = yes | ||
winbind enum groups = yes | winbind enum groups = yes | ||
winbind cache time = 10 | winbind cache time = 10 | ||
− | + | obey pam restrictions = yes | |
+ | pam password change = yes | ||
+ | hostname lookup = yes | ||
Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server. | Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server. | ||
+ | |||
+ | {{Note box| If you run the 'System - Administration - Authentication' tool again your amendments will be lost}} | ||
To check validation of smb.conf, run | To check validation of smb.conf, run | ||
testparm | testparm | ||
− | If | + | The 'Join Domain' above should also have worked, so test with |
+ | wbinfo -u | ||
+ | wbinfo -g | ||
+ | smbtree | ||
+ | to list users, groups and available shares respectively from the SME server. | ||
+ | |||
+ | If it doesn't appear to have worked then run | ||
net rpc join -D <WORKGROUP> -U admin | net rpc join -D <WORKGROUP> -U admin | ||
Enter the admin password for the SME server when prompted and you should get a message, | Enter the admin password for the SME server when prompted and you should get a message, | ||
Joined domain <WORKGROUP> | Joined domain <WORKGROUP> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
===Authentication Modifications=== | ===Authentication Modifications=== |
Revision as of 22:36, 6 November 2009
Fedora 11 Authentication
Introduction
The following details the setup of Fedora 11 as a desktop to authenticate users against SME. The method has been tested using Fedora installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.
Install Fedora
Download the Fedora .iso and install. The initial install process asks for a root password and the hostname (which defaults to localhost.localdomain. Change this to a hostname of your choice and your domain name.
<HOSTNAME>.<yourdomain>.<yourtld>
When the install has finished you need to remove the media and reboot. A gui startup process then completes the setup and installation. During this process you will be asked for a username and password to set up the first user, and also the date/time configuration.
Complete install, login and apply all updates.
Additional Packages
Use the 'System - Administration - Add/Remove Software' or yum to install additional packages
Windows file server (Note this is a group of packages under Package Collections or yum groupinstall) pam_mount libtalloc (this needs to be updated if you haven't run all the updates, else samba and the domain join don't work)
Firewall Modifications
Open the 'System - Administration - Firewall' and tick
samba samba-client
as Trusted Services. Don't forget to 'Apply'
Samba Modifications
Open 'System - Administration - Services' and enable 'smb'
Open 'System - Administration - Authentication'. This will open an 'Authentication Configuration' dialogue.
On the 'User Information' tab tick 'Enable Winbind Support' and press the 'Configure Winbind ' button.
A 'Winbind Configuration' dialogue opens. Complete the boxes with the relevant information
Winbind Domain - this is the Windows Workgroup name for your SME Server Security - set this to domain Winbind Domain Controllers - this is the ip address of your SME server Template Shell - set this to /bin/bash Allow Offline Login - tick
Press OK and change to the 'Authentication' tab. Check 'Enable Winbind Support' is ticked and press the 'Configure Winbind' button.
A 'Winbind Settings' dialogue opens. Check the values are the same as above and press OK.
Change to the Options tab and check the following are ticked or set
Use Shadow Passwords Password Hashing Algorithym - MD5 Local Authorization is sufficient for local users Create Home directories on first login
Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'.
Close this application down.
Open an 'Applications - Accessories - Terminal' cli and 'su' to root
Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below. Some lines may not exist and may need to be added.
workgroup = <WORKGROUP> password server = <ip of sme server> security = domain idmap uid = <whatever range is set> idmap gid = <whatever range is set> template shell = /bin/bash winbind use default domain = yes (you will probably need to change this from false) winbind offline logo n = true wins server = <ip of sme server> name resolve order = wins host lmhosts bcast socket options = TCP_NODELAY template homedir = /home/%D/%U winbind enum users = yes winbind enum groups = yes winbind cache time = 10 obey pam restrictions = yes pam password change = yes hostname lookup = yes
Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.
To check validation of smb.conf, run
testparm
The 'Join Domain' above should also have worked, so test with
wbinfo -u wbinfo -g smbtree
to list users, groups and available shares respectively from the SME server.
If it doesn't appear to have worked then run
net rpc join -D <WORKGROUP> -U admin
Enter the admin password for the SME server when prompted and you should get a message,
Joined domain <WORKGROUP>
Authentication Modifications
Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
hosts: files wins dns
Change to the auth-client-config tool profile directory
cd /etc/auth-client-config/profile.d
Create and edit a new file called acc-sme, and enter
[sme] nss_group=group: compat winbind nss_netgroup=netgroup: nis nss_passwd=passwd: compat winbind nss_shadow=shadow: compat pam_account=account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so account [success=1 default=ignore] pam_unix.so use_first_pass use_authtok account requisite pam_deny.so account required pam_permit.so pam_auth=auth [success=2 default=ignore] pam_winbind.so auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass use_authtok auth requisite pam_deny.so auth required pam_permit.so auth required pam_securetty.so auth optional pam_mount.so enable_pam_password pam_password=password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_first_pass md5 use_authtok password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so pam_session=session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_winbind.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel umask=0022 session optional pam_mount.so enable_pam_password session optional pam_ck_connector.so nox11
Save the file. Apply the pam authorisation changes
auth-client-config -a -p sme
Automount User Home Directories at Login
cd /etc/security
Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header
<!-- Volume Definitions --> <volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />
Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.
Login and Test
Exit the Terminal cli
Logout of Fedora.
Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup
Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.
VirtualBox Guest Additions Installation
The autorun.sh script on the VirtualBox Guest Additions media does not run on Fedora as it requires gksu which doesn't appear to be available as a standard RedHat package. You will need to add the following packages therefore either through the 'System - Adminsitration - Add/Remove Software' or with yum at a Terminal cli command prompt
gcc kernel-headers kernel-devel
Change to the mounted Virtual Box Guest Additions CDROM, eg
cd /media/VBOXADDITIONS_3.0.10_54097
Run the relevant script for your processor type, eg for i386 processors
sh ./VBoxLinuxAdditions-x86.run
The script should run, build and install the guest additions.
Issues / ToDo
The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.
Haven't tested the pam password configuration to see if password changes are handled correctly.