Difference between revisions of "Client Authentication:Fedora"

From SME Server
Jump to navigationJump to search
Line 52: Line 52:
 
  Local Authorization is sufficient for local users
 
  Local Authorization is sufficient for local users
 
  Create Home directories on first login
 
  Create Home directories on first login
Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'.
+
Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'. Save the configuration when prompted.
  
 
Close this application down.
 
Close this application down.
Line 79: Line 79:
  
 
Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.
 
Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.
 
 
{{Note box| If you run the 'System - Administration - Authentication' tool again your amendments will be lost}}
 
{{Note box| If you run the 'System - Administration - Authentication' tool again your amendments will be lost}}
 
 
To check validation of smb.conf, run
 
To check validation of smb.conf, run
 
  testparm
 
  testparm
  
The 'Join Domain' above should also have worked, so test with  
+
The 'Join Domain' above should also have worked so to list users, groups and available shares respectively from the SME server, test with  
 
  wbinfo -u
 
  wbinfo -u
 
  wbinfo -g
 
  wbinfo -g
 
  smbtree
 
  smbtree
to list users, groups and available shares respectively from the SME server.
 
  
 
If it doesn't appear to have worked then run
 
If it doesn't appear to have worked then run
Line 99: Line 96:
 
===Authentication Modifications===
 
===Authentication Modifications===
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
 
{{Warning box| Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out}}
Open and edit /etc/nsswitch.conf and find the hosts: line. Change it to
+
Open and edit /etc/nsswitch.conf and find the 'hosts:' line. Change it to
 
  hosts: files wins dns
 
  hosts: files wins dns
 +
Check also
 +
group:  files winbind
 +
passwd: files winbind
 +
shadow: files winbind
 +
Save and close
 +
cd/etc/pam.d
 +
Open and edit the system-auth file, and amend as below
  
Change to the auth-client-config tool profile directory
+
Open and edit the password-auth file, and amend as below
cd /etc/auth-client-config/profile.d
 
  
Create and edit a new file called acc-sme, and enter
+
   
  [sme]
 
nss_group=group:        compat winbind
 
nss_netgroup=netgroup:  nis
 
nss_passwd=passwd:      compat winbind
 
nss_shadow=shadow:      compat
 
pam_account=account  [success=2 new_authtok_reqd=done default=ignore]  pam_winbind.so
 
            account  [success=1 default=ignore]                        pam_unix.so use_first_pass use_authtok
 
            account  requisite                                        pam_deny.so
 
            account  required                                          pam_permit.so
 
pam_auth=auth [success=2 default=ignore]  pam_winbind.so
 
          auth [success=1 default=ignore]  pam_unix.so      nullok_secure  use_first_pass  use_authtok
 
          auth requisite             pam_deny.so
 
          auth required     pam_permit.so
 
          auth required     pam_securetty.so
 
          auth optional     pam_mount.so      enable_pam_password
 
pam_password=password [success=2 default=ignore]  pam_unix.so    obscure sha512
 
              password [success=1 default=ignore]  pam_winbind.so  use_first_pass  md5  use_authtok
 
              password requisite     pam_deny.so
 
              password required     pam_permit.so
 
              password optional             pam_gnome_keyring.so
 
pam_session=session  [default=1]  pam_permit.so
 
            session  requisite    pam_deny.so
 
            session  required    pam_permit.so
 
            session  optional    pam_winbind.so
 
            session  required    pam_unix.so
 
            session  required    pam_mkhomedir.so skel=/etc/skel umask=0022
 
            session  optional    pam_mount.so         enable_pam_password
 
            session  optional    pam_ck_connector.so  nox11
 
{{Tip box| You can use
 
auth-client-config -S > acc-sme
 
to create the file first, containing the current pam files configuration, and then just modify}}
 
Save the file. Apply the pam authorisation changes
 
auth-client-config -a -p sme
 
 
=== Automount User Home Directories at Login===
 
=== Automount User Home Directories at Login===
 
  cd /etc/security
 
  cd /etc/security

Revision as of 22:45, 6 November 2009

Warning.png Warning:
If your reading this then this page isn't finished. Don't follow the instructions as they are untested and being converted from the Ubuntu Howto


Warning.png Warning:
This is based upon limited testing and a small number of users via a VirtualBox virtual machine installation of Fedora. YMMV


Fedora 11 Authentication

Introduction

The following details the setup of Fedora 11 as a desktop to authenticate users against SME. The method has been tested using Fedora installed in a VirtualBox virtual machine on a Windows XP host. It assumes login is via the gui interface.

Install Fedora

Download the Fedora .iso and install. The initial install process asks for a root password and the hostname (which defaults to localhost.localdomain. Change this to a hostname of your choice and your domain name.

<HOSTNAME>.<yourdomain>.<yourtld>
Information.png Tip:
Make sure you set the <HOSTNAME> to something less than 15 characters.


When the install has finished you need to remove the media and reboot. A gui startup process then completes the setup and installation. During this process you will be asked for a username and password to set up the first user, and also the date/time configuration.

Information.png Tip:
When prompted for a user name to log in with, give a non-SME user such as 'administrator', as this first user effectively becomes a local user for Gnome login. Root is not allowed to login at the Gnome GDM prompt. You can login as this user, open an 'Applications - System - Terminal' cli and 'su' to root to carry out most of the authentication setup.

You can also add the SME server ip to the list of NTP servers


Warning.png Warning:
On the User setup screen do not select the 'Use Network Login'. This will not work yet, missing packages etc, and will just complicate the setup below


Complete install, login and apply all updates.

Important.png Note:
There may be a lot of updates so apply the security fixes as a minimum.

For VirtualBox VM installation only, install the 'Guest Additions'. See section below for details.


Additional Packages

Use the 'System - Administration - Add/Remove Software' or yum to install additional packages

Windows file server (Note this is a group of packages under Package Collections or yum groupinstall)
pam_mount
libtalloc (this needs to be updated if you haven't run all the updates, else samba and the domain join don't work)

Firewall Modifications

Open the 'System - Administration - Firewall' and tick

samba
samba-client

as Trusted Services. Don't forget to 'Apply'

Samba Modifications

Open 'System - Administration - Services' and enable 'smb'

Open 'System - Administration - Authentication'. This will open an 'Authentication Configuration' dialogue.

Information.png Tip:
Do not press the 'Join Domain' button until you have completed the changes below on all three of the dialogue tabs


On the 'User Information' tab tick 'Enable Winbind Support' and press the 'Configure Winbind ' button.

A 'Winbind Configuration' dialogue opens. Complete the boxes with the relevant information

Winbind Domain             - this is the Windows Workgroup name for your SME Server
Security                   - set this to domain
Winbind Domain Controllers - this is the ip address of your SME server
Template Shell             - set this to /bin/bash
Allow Offline Login        - tick

Press OK and change to the 'Authentication' tab. Check 'Enable Winbind Support' is ticked and press the 'Configure Winbind' button.

A 'Winbind Settings' dialogue opens. Check the values are the same as above and press OK.

Change to the Options tab and check the following are ticked or set

Use Shadow Passwords
Password Hashing Algorithym - MD5
Local Authorization is sufficient for local users
Create Home directories on first login

Now change back to the 'User Information' tab, press 'Configure Winbind' and then 'Join Domain'. Save the configuration when prompted.

Close this application down.

Open an 'Applications - Accessories - Terminal' cli and 'su' to root

Open and edit /etc/samba/smb.conf. Under [global] there will be a section commented as having been generated by authconfig. Check this section is as below. Some lines may not exist and may need to be added.

workgroup = <WORKGROUP>
password server = <ip of sme server>
security = domain
idmap uid = <whatever range is set>
idmap gid = <whatever range is set>
template shell = /bin/bash
winbind use default domain = yes             (you will probably need to change this from false)
winbind offline logo n = true 
wins server = <ip of sme server>
name resolve order = wins host lmhosts bcast
socket options = TCP_NODELAY
template homedir = /home/%D/%U
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
obey pam restrictions = yes
pam password change = yes
hostname lookup = yes 

Replace <WORKGROUP> above (and below) with the 'Windows workgroup' name of your SME server. Replace <ip of sme server> above with the internal network ip address of your SME server.

Important.png Note:
If you run the 'System - Administration - Authentication' tool again your amendments will be lost


To check validation of smb.conf, run

testparm

The 'Join Domain' above should also have worked so to list users, groups and available shares respectively from the SME server, test with

wbinfo -u
wbinfo -g
smbtree

If it doesn't appear to have worked then run

net rpc join -D <WORKGROUP> -U admin

Enter the admin password for the SME server when prompted and you should get a message,

Joined domain <WORKGROUP>

Authentication Modifications

Warning.png Warning:
Altering the pam system authentication files can seriously effect your ability to login in to the system. Take a backup of the /etc/pam.d directory and /etc/nsswitch.conf. Have a live CD available to give access and re-apply the backup files if you make a mistake and/or get locked out


Open and edit /etc/nsswitch.conf and find the 'hosts:' line. Change it to

hosts: files wins dns

Check also

group:  files winbind
passwd: files winbind
shadow: files winbind

Save and close

cd/etc/pam.d

Open and edit the system-auth file, and amend as below

Open and edit the password-auth file, and amend as below


Automount User Home Directories at Login

cd /etc/security

Open and edit pam_mount.conf.xml file. Find the 'Volume Definitions' section. Add a volume line below the header

<!-- Volume Definitions --> 
<volume fstype="cifs" server="<SMESERVER>" path="homes" mountpoint="~/nethome" options="nosuid,nodev" />

Replace <SMESERVER> above with the samba name of your SME server. This will mount the users 'home' directory from SME into a directory called 'nethome' in their local home directory.

Login and Test

Exit the Terminal cli

Logout of Fedora.

Login as a valid SME server user on your system, just giving username and password. No need for DOMAIN\user as samba configured above to use the default Windows Workgroup

Authentication against SME should proceed and the user log in. A home directory on the local machine should be created as /home/DOMAIN/user, and a sub directory to that called 'nethome' mounted to the users home directory on the SME server. The mount point should also appear on the users gui desktop.

VirtualBox Guest Additions Installation

Important.png Note:
This section is only applicable if you have installed Fedora in a VirtualBox Virtual Machine. It should be carried out immediately after installation and before setting up the rest of the authentication features


The autorun.sh script on the VirtualBox Guest Additions media does not run on Fedora as it requires gksu which doesn't appear to be available as a standard RedHat package. You will need to add the following packages therefore either through the 'System - Adminsitration - Add/Remove Software' or with yum at a Terminal cli command prompt

gcc
kernel-headers
kernel-devel

Change to the mounted Virtual Box Guest Additions CDROM, eg

cd /media/VBOXADDITIONS_3.0.10_54097

Run the relevant script for your processor type, eg for i386 processors

sh ./VBoxLinuxAdditions-x86.run

The script should run, build and install the guest additions.

Issues / ToDo

The above was tested on a VirtualBox virtual machine. The login appears to stall after username and password entered due to the mount of the home directory, but this does complete after a little while. Appears to be due to NAT traversal and WINS lookup as VM is using NAT and a different subnet. Couldn't get bridged mode to work, and haven't installed on a dedicated machine on the same subnet to confirm. Login is a little slow therefore using the VM. Perhaps someone could confirm its OK when on proper subnet.

Haven't tested the pam password configuration to see if password changes are handled correctly.